Open MarcoWel opened 3 months ago
Alternative Solution:
Add -nameopt RFC2253
parameter to this line:
https://github.com/NginxProxyManager/nginx-proxy-manager/blob/63d06da8a8591e7a9b2a1873eb91ce1c42b2b0f9/backend/internal/certificate.js#L731
Result:
return utils.exec('openssl x509 -in ' + certificate_file + ' -subject -noout -nameopt RFC2253')
This ensures the standardized order of the subject fields where CN is always the first in order.
Hi @MarcoWel,
Could this expain why my Exchange Server has just started popping up an ERR_SSL_UNRECOGNIZED _NAME_ALERT error message recently? It's proxied through NPM and has only recently started doing it today.
getCertificateInfoFromFile() function does not parse cert subject correctly.
https://github.com/NginxProxyManager/nginx-proxy-manager/blob/63d06da8a8591e7a9b2a1873eb91ce1c42b2b0f9/backend/internal/certificate.js#L734
It expects the CN as first item (by reading
match[1]
), which is not always the case.Example:
openssl x509 -in cert.crt -subject -noout
Output:subject=C = DE, ST = State, L = City, O = MyOrg, OU = -, CN = *.example.com
When loading such a certificate in NPM it seems to work, but accessing the Proxy leads to a ERR_SSL_UNRECOGNIZED_NAME_ALERT error in the browser.
Fix: Make subject parsing regex more robust. This one should be working: