Support x509 certificates with subjectAltName for HTTPS checks

[ralienpp]

⚠️ Please verify that this bug has NOT been raised before.

• [X] I checked and didn't find similar issue

🛡️ Security Policy

• [X] I agree to have read this project Security Policy

Description

Uptime-Kuma tells me that a check failed, because it was unable to verify the first certificate. I was a bit puzzled, since I was able to open the page in my browser and see that it works, and the certificate is fine.

Upon closer inspection, I noticed a potential explanation:

• the server uses a certificate from Letsencrypt, which has multiple domain names in it
• the common name of the subject is not the same as the domain I go to
• the domain is featured in the list of the subjectAltName attribute of the certificate

When viewing such a certificate with Chrome, it doesn't even show the entries of subjectAltName. So, it looks like the certificate is indeed not valid for this domain, despite the fact that the padlock icon in the address bar is fine. Firefox, on the other hand, shows the other domains this certificate is valid for:

👟 Reproduction steps

Use a Letsencrypt certificate issued for multiple domain names.

👀 Expected behavior

Uptime-Kuma should successfully verify the certificate's validity for the given domain.

😓 Actual Behavior

Uptime-Kuma fails to verify the certificate.

🐻 Uptime-Kuma Version

1.16.0

💻 Operating System and Arch

Ubuntu 20.04 x86

🌐 Browser

Chrome, Firefox

🐋 Docker Version

No response

🟩 NodeJS Version

No response

📝 Relevant log output

2022-05-27T14:31:28.174Z [MONITOR] WARN: Monitor #1 'test': Failing: unable to verify the first certificate | Interval: 300 seconds | Type: keyword

[chakflying]

Tested with the website in your profile, cannot reproduce. I'm running natively on Windows.

[ralienpp]

Thanks for your feedback. I tried it with my domain - and it indeed works, even though the same scenario applies (other domains are given in subjectAltName). I guess the root cause is elsewhere.

These are the steps to reproduce the problem with the domain that prompted me to open this issue:

1. Create a new monitor, of the type HTTP(s)
2. Set URL to https://test dot idphoto dot org (replace "dot" with actual dots, I'm obfuscating it a bit here to avoid unnecessary attention)
3. Make sure Ignore TLS/SSL error for HTTPS websites is unchecked

[chakflying]

The problem is you did not include the intermediate certificates bundle provided by Let's Encrypt in your server. Node.js has strict requirement for this so it rejected the connection but browsers are more lenient.

[louislam]

You should concat ca-bundle to your cert.

Although your website can be accessed by most modern browsers, older browsers and many programming languages such as Node.js cannot access your website actually.

Please read this for more info: ~https://github.com/louislam/uptime-kuma/issues/1698~ https://github.com/louislam/uptime-kuma/issues/90

[ralienpp]

Aha, I see. Thanks for the hint. @louislam, can you double-check your link? It points to this discussion.

[louislam]

Aha, I see. Thanks for the hint. @louislam, can you double-check your link? It points to this discussion.

https://github.com/louislam/uptime-kuma/issues/90

[github-actions[bot]]

We are clearing up our old issues and your ticket has been open for 3 months with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 7 days with no activity.