Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wildcard certificate problem with custom root CA #6953

Closed
cyberduck opened this issue Nov 8, 2012 · 7 comments
Closed

wildcard certificate problem with custom root CA #6953

cyberduck opened this issue Nov 8, 2012 · 7 comments
Assignees
Labels
bug webdav WebDAV Protocol Implementation worksforme
Milestone

Comments

@cyberduck
Copy link
Collaborator

Andre Kelpe created the issue

I am having a problem with wildcard certificates for webdav over https. Here is the current situation:

I have a server, that uses SSL. The certificate used by the server is signed by our own internal root CA. I have installed this root CA in the certificate management on windows, following the documentation on http://windows.microsoft.com/is-IS/windows-vista/View-or-manage-your-certificates. After that, I verified, that IE trusts the certificate of my server signed with this root CA. This works, which means, the root CA is correctly installed. After that I tried it with cyberduck and it does not trust the server at all.

After some googling around, I saw that cyberduck is written in java, so I went into the control panel and installed the root CA in the java configuration thing as well. This still has no effect. Cyberduck keeps on telling me, that the cert is not valid, while all other software trusts it.

The hostname of the server is something like foo.secure.example.com and the cert is valid for *.secure.example.com. As I said above, it works with other windows software, just not with cyberduck.

What am I doing wrong?


Attachments

@cyberduck
Copy link
Collaborator Author

@dkocher commented

We use native Windows certificate chain validation, therefore settings in Java preferences have no effect.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

What is the exact certificate validation error? Just a hostname mismatch or a trust validation failure?

@cyberduck
Copy link
Collaborator Author

Andre Kelpe commented

As stated above, I put it in the windows certificate store as well and it works for IE, so it is installed correctly.

The error I get is 'Certificate is not valid". See screenshot. (I had to blank out the hostname, to protect the innocent.)

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Looks like there is an issue with hostname validation trying to match hostname with the common name wildcard in the certificate.

@cyberduck
Copy link
Collaborator Author

Andre Kelpe commented

yes, indeed. Can I give you more information in some way, so that you will be able to tell me, what is wrong?

@cyberduck
Copy link
Collaborator Author

@ylangisc commented

I have setup a test environment with a self-signed Certificate Authority and issued a wildcard certificate for my test web server. After importing the root certificate into the certificate store 'Trusted Root Certification Authorities' (either user or computer store) Cyberduck did not complain anymore about an invalid certificate. The behavior is as expected.

Is there any chance that you can send me both the root and machine certificate to mailto:feedback@cyberduck.ch? As you don't send me the private keys this is not security critical.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Test in eb2fb85.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug webdav WebDAV Protocol Implementation worksforme
Projects
None yet
Development

No branches or pull requests

2 participants