Certificate Common Name Invalid

everner · March 27, 2023, 09:34:12 PM

I am trying to run IMWS behind a private website. I have to access IMWS via https, otherwise I get a mixed content (https and http) blockage. With https I am getting the console message GET https://192.168.1.3:24026/info net::ERR_CERT_COMMON_NAME_INVALID. I have tried my website certificate with common name www.eg-verner.net and a similar certificate with common name IMWS. Before I tried any more, I thought I would ask what the common name should be.

By the way, I am using X Certificate and Key Management to produce certificates for a long time with no problems.

Mario · March 27, 2023, 10:19:57 PM

This message comes from your web browser (not IMWS).
I can only assume that something with your certificate is wrong.

everner · March 29, 2023, 08:49:18 AM

Thanks Mario. That tells me I need to use my website certificate, which is one of the ones I had tried. By the way, I should also let you know that if I brows to https://192.168.1.3:24026/info, and allow the unsecure warnings, I get text output that seems pertinent. After that, it work, but with unsecure warnings in the address bar. Any, I should probably have sent you more of the console output. Here is everything but the 'DevTools failed to load source map' errors:

manifest.json:1 Failed to load resource: the server responded with a status of 404 (Not Found)

manifest.json:1 Manifest: Line: 1, column: 1, Syntax error.

angular.min.js:124 Possibly unhandled rejection: {"data":null,"status":-1,"config":{"method":"GET","transformRequest":[null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"https://192.168.1.3:24026/info","headers":{"Accept":"application/json, text/plain, */*"}},"statusText":"","xhrStatus":"error","resource":{}}
(anonymous) @ angular.min.js:124

192.168.1.3:24026/info:1 Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID

manifest.json:1 Failed to load resource: the server responded with a status of 404 (Not Found)

As I am running everything on one machine, I can't use 443 for the IMWS port because I am using it for the website. Please let me know if the console output suggests anything to you. If not, I am thinking of a mini computer for my smart tv that could also run all the iMatch software, and then use a reverse proxy to bring it to the website.
Thanks, Ed Verner

Mario · March 29, 2023, 09:27:59 AM

ERR_CERT_COMMON_NAME_INVALID

The browser considers the certificate you have configured as invalid. IMWS just "uses" the certificate you have configured and provides it to the browser. And the browser does not accept it. Make sure your self-created or self-configured certificate is valid. A certificate an be usually used only for one specific address. You usually cannot use the same certificate for different services running on the same computer.
I'm no SSL certificate specialist so you might need to google to figure out if you have created and configured your SSL certificate correctly. It appears it does not match the URL you are using for accessing IMWS.

everner · March 30, 2023, 01:21:36 AM

Thanks Mario. I use the host name for the common name in my website certificates, so I tried my computer name, and local ip address. The local ip address doesn't work, but the computer name does. That forces me to use the computer name in the imatchviewer\imatch\config\config.json file. So now my host computer and surface tablet work, as windows has ways of resolving computer names. My Chrome Os devices don't work with error message ERR_NAME_NOT_RESOLVED, but I can live with that. Still waiting on an opportunity to log in from outside my network.

Thanks
Ed Verner

Mario · March 30, 2023, 09:32:52 AM

QuoteMy Chrome Os devices don't work with

Does not support the standard name lookup (computer name => ip) in Windows. Same for MacOs.

QuoteStill waiting on an opportunity to log in from outside my network.

IMWS is not designed to be accessed directly from the Internet. Only access it via a hardened reverse proxy or a VPN.
See the iMWS documentation for more information.

everner · March 31, 2023, 12:08:35 AM

Hi Mario. Thanks for the warning. My website users are friends and family, and I require them to use a client certificate to get past Apache. I learned recently that this is called mTLS. Another advantage, is that Google knows little, if anything about my website. Some of your users may be interested in this approach.

everner · April 04, 2023, 10:33:54 PM

For the record, when testing outside my home network, it dawned on me that JavaScript is sending requests directly from the browser to IMWS, so I changed the imwsUrl in imatchviewer/config/config.json to https://myWebsiteAddress:port/ where port is not 443 since IMWS is on the same machine as the website. Then did a reverse proxy for the calls to /info to https://myWebsiteAddress:port/ . Also had to deal with Cross-Origin Resource Sharing. Now works for any machine on my local network, or on the internet, provided they have my CA certificate and client TLS certificate. The changes to my Apache configuration were minimal as shown below.

# proxy for IMWS
ProxyPreserveHost On
ProxyPass "/info/" "https://myWebsiteAddress:port/"
ProxyPassReverse "/info/" "https://myWebsiteAddress:port/"
<Location "/info/">
Header set Access-Control-Allow-Origin "https://myWebsiteAddress:port"
Options Includes
SSLRequireSSL
SSLRequire %{SSL_CLIENT_I_DN_O} =~ /regular expression for organization name/
Require all granted
</Location>
# imatchviewer auth domain
<Directory "c:/myDocumentRoot/imatchviewer">
AllowOverride None
Options +Includes
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_CN} =~ /regular expression for common names/i
Require all granted
</Directory>

Mario · April 04, 2023, 10:36:52 PM

Thanks for sharing.
Setting up a reverse proxy with a self-signed certificate can be challenging.
But that's usually something an IT department with trained admins does, not a 'normal' person. Well done.