NPM is not parsing CN from custom certificate correctly

[MarcoWel]

getCertificateInfoFromFile() function does not parse cert subject correctly.

https://github.com/NginxProxyManager/nginx-proxy-manager/blob/63d06da8a8591e7a9b2a1873eb91ce1c42b2b0f9/backend/internal/certificate.js#L734

It expects the CN as first item (by reading match[1]), which is not always the case.

Example: openssl x509 -in cert.crt -subject -noout Output: subject=C = DE, ST = State, L = City, O = MyOrg, OU = -, CN = *.example.com

When loading such a certificate in NPM it seems to work, but accessing the Proxy leads to a ERR_SSL_UNRECOGNIZED_NAME_ALERT error in the browser.

Fix: Make subject parsing regex more robust. This one should be working:

const regex = /(?:subject=)?CN\s*=\s*(\S+)/gim;

[MarcoWel]

Alternative Solution: Add -nameopt RFC2253 parameter to this line: https://github.com/NginxProxyManager/nginx-proxy-manager/blob/63d06da8a8591e7a9b2a1873eb91ce1c42b2b0f9/backend/internal/certificate.js#L731

Result:

return utils.exec('openssl x509 -in ' + certificate_file + ' -subject -noout -nameopt RFC2253')

This ensures the standardized order of the subject fields where CN is always the first in order.

[SirWobbyTheFirst]

Hi @MarcoWel,

Could this expain why my Exchange Server has just started popping up an ERR_SSL_UNRECOGNIZED _NAME_ALERT error message recently? It's proxied through NPM and has only recently started doing it today.