uptime-kuma
uptime-kuma copied to clipboard
Support x509 certificates with subjectAltName for HTTPS checks
⚠️ Please verify that this bug has NOT been raised before.
- [X] I checked and didn't find similar issue
🛡️ Security Policy
- [X] I agree to have read this project Security Policy
Description
Uptime-Kuma tells me that a check failed, because it was unable to verify the first certificate. I was a bit puzzled, since I was able to open the page in my browser and see that it works, and the certificate is fine.
Upon closer inspection, I noticed a potential explanation:
- the server uses a certificate from Letsencrypt, which has multiple domain names in it
- the common name of the subject is not the same as the domain I go to
- the domain is featured in the list of the
subjectAltName
attribute of the certificate
When viewing such a certificate with Chrome, it doesn't even show the entries of subjectAltName
. So, it looks like the certificate is indeed not valid for this domain, despite the fact that the padlock icon in the address bar is fine. Firefox, on the other hand, shows the other domains this certificate is valid for:
👟 Reproduction steps
Use a Letsencrypt certificate issued for multiple domain names.
👀 Expected behavior
Uptime-Kuma should successfully verify the certificate's validity for the given domain.
😓 Actual Behavior
Uptime-Kuma fails to verify the certificate.
🐻 Uptime-Kuma Version
1.16.0
💻 Operating System and Arch
Ubuntu 20.04 x86
🌐 Browser
Chrome, Firefox
🐋 Docker Version
No response
🟩 NodeJS Version
No response
📝 Relevant log output
2022-05-27T14:31:28.174Z [MONITOR] WARN: Monitor #1 'test': Failing: unable to verify the first certificate | Interval: 300 seconds | Type: keyword
Tested with the website in your profile, cannot reproduce. I'm running natively on Windows.
Thanks for your feedback. I tried it with my domain - and it indeed works, even though the same scenario applies (other domains are given in subjectAltName
). I guess the root cause is elsewhere.
These are the steps to reproduce the problem with the domain that prompted me to open this issue:
- Create a new monitor, of the type
HTTP(s)
- Set URL to
https://test dot idphoto dot org
(replace "dot" with actual dots, I'm obfuscating it a bit here to avoid unnecessary attention) - Make sure
Ignore TLS/SSL error for HTTPS websites
is unchecked
The problem is you did not include the intermediate certificates bundle provided by Let's Encrypt in your server. Node.js has strict requirement for this so it rejected the connection but browsers are more lenient.
You should concat ca-bundle to your cert.
Although your website can be accessed by most modern browsers, older browsers and many programming languages such as Node.js cannot access your website actually.
Please read this for more info: ~https://github.com/louislam/uptime-kuma/issues/1698~ https://github.com/louislam/uptime-kuma/issues/90
Aha, I see. Thanks for the hint. @louislam, can you double-check your link? It points to this discussion.
Aha, I see. Thanks for the hint. @louislam, can you double-check your link? It points to this discussion.
https://github.com/louislam/uptime-kuma/issues/90
We are clearing up our old issues and your ticket has been open for 3 months with no activity. Remove stale label or comment or this will be closed in 7 days.
This issue was closed because it has been stalled for 7 days with no activity.