openssl
openssl copied to clipboard
openssl
RemoteCertificateNameMismatch - I don't want to see this error ever again!!!
I am working on a gRPC project and am attempting to connect two nodes together via https. The likelihood of these nodes being behind a firewall or not part of a domain is probably close to 99.999%. Since I don't have a domain name or a way to get a FQDM for the remote nodes, I am stuck. Let me describe what I am trying to do.
I have a public service which uses a valid GoDaddy certificate. I have it working perfectly in the https configuration. I call this service the directory service as all users register their contact information with the directory so other can find them.
I have another local service, a message service if you will, which will run on someone's local node. It could be grandmother's old PC so we know there is no domain name that can be used. It is there where I am stumped on how to generate a self-signed certificate specifically for that node.
When a local service starts up, it registers its external IP address and a unique port number with the directory service. This can happen for hundreds of users. I am also using UPnP to map a forwarded port in the user's router that will listen on the forward port for incoming traffic.
When one user wants to send some content to another user, they do a directory lookup and get the other user's endpoint. They then use that endpoint to issue a gRPC call to send or receive the content the app is designed to send or receive. All of this works as I can see the remote node reacting to the incoming request (via its console) so I know I am making a "connection." I'm just not getting a validated connection.
I am configuring ASP.NET Core (6) and .NET gRPC as the transport mechanism. I see the incoming request. I guess as the gRPC routing mechanism is trying to authenticate the request and it fails. I get a "The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch"... but, what is being mismatched???
When I created my self-signed certificate, I did the following:
- I generate a private key for the root CA
- I then generate a self-signed root CA certificate
- I then use the CA to create the self-signed certificate that each end user will use
Here is the script I use to generate the various certificates:
:: Generate the private key of the root CA
openssl genrsa -des3 -out root-ca.key -passout pass:"123456" 4096
:: Generate the self-signed root CA certificate
openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt -passin pass:"123456" -config csr.conf
:: Review the certificate
openssl x509 -in root-ca.crt -text
:: Using the Root CA to Sign Certificates
openssl req -newkey rsa:4096 -keyout localhost.key -config csr.conf -out localhost.csr
:: Sign the cert using the Root CA
openssl ca -out localhost.crt -infiles localhost.csr -config csr.conf
The contents of csr.conf is as follows:
[ req ]
prompt = no
default_bits = 4096
default_days = 3650
distinguished_name = req
x509_extension = v3_ca
req_extensions = v3_req
input_password = 123456
output_password = 123456
emailAddress = [email protected]
distinguished_name = dn
[ dn ]
C = US
ST = 'Some state'
L = 'Some city'
O = 'Some organization'
OU = 'Some organizational unit'
CN = localhost
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
DNS.2 = 'machine name and not a FQDN'
IP.1 = 1.2.3.4
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, cRLSign, keyCertSign
extendedKeyUsage = serverAuth, clientAuth
What is the mismatch? the CN? the dns.1? dns.2? ip.1???
At the end of the day, all I want to do is encrypt traffic between two nodes that are not in a domain, they don't likely have a publicly available FQDN, all they have is an external IP address and a port. What am I doing wrong in the construction of this cert???
