[HELP] Mismatched Address Certificate Error

Discussion on setting up QNAP NAS products.
Post Reply
User avatar
nuspieds
Know my way around
Posts: 133
Joined: Tue Jul 14, 2009 3:35 am
Location: Los Angeles

[HELP] Mismatched Address Certificate Error

Post by nuspieds »

I followed the steps in the How-To guide http://wiki.qnap.com/wiki/Use_OpenSSL_t ... connection for using OpenSSL to generate a certificate for the NAS.

Everything worked, but when I SSL into my NAS (TS-509), IE8 is giving me a "Mismatched Address" certificate error. The SSL works and all, but I was just wondering if there was a way to get rid of that error so that IE goes to my NAS box without any issues and the location bar background is green as opposed to red.

Thanks.
User avatar
Q
Experience counts
Posts: 1436
Joined: Wed Sep 05, 2007 4:18 pm
Location: Switzerland
Contact:

Re: [HELP] Mismatched Address Certificate Error

Post by Q »

hi

to get the bar green you would need to buy a EV SSL certificate from a issuer known by the web browser: http://en.wikipedia.org/wiki/Extended_V ... ertificate
I am Q
www.qnap.ch

I don't work at QNAP.
And RAID is really NO backup!
JohnVK
Getting the hang of things
Posts: 79
Joined: Sat Aug 22, 2009 5:14 am

Re: [HELP] Mismatched Address Certificate Error

Post by JohnVK »

Hi Nuspieds,

You can in fact use a self-signed certificate and NOT get that certificate error in IE8. But for that to work you must make sure you correctly create your certificate so it is able to properly identify your server. There's a few things you need to add in a certificate for it to work without error:

- Friendly / Subject name (aka, Common Name, it's the field called Subject in the certificate) must match the external name of whatever you are connecting to. For instance mail.domain.com
- SAN (Subject Alternate Names) must match ALL names the connection / server is known by, this includes LAN DNS names. So if you have a server named Server1 in an Active Directory domain called Domain1.local, you should add these SAN's: Server1 , Server1.domain1.local , mail.domain.com

If all of the names this server is identified by are present (either on the WAN or LAN), IE won't give you an error. This is a Microsoft recommendation btw, I didn't make that up :wink:

Now, for the record, I have never used the method you described to create certificates so I have no idea how that works. I'm sorry. I only deal with creating self-signed certificates on Exchange Servers or otherwise buying a certificate from a verified resource (Thawte, verisign, DigiCert, etc.).

Hope this helps nonetheless :wink:
User avatar
Q
Experience counts
Posts: 1436
Joined: Wed Sep 05, 2007 4:18 pm
Location: Switzerland
Contact:

Re: [HELP] Mismatched Address Certificate Error

Post by Q »

cool, thx for sharing that information.

does the bar then get green or yellow? guess the later one (which is also fine of course).
I am Q
www.qnap.ch

I don't work at QNAP.
And RAID is really NO backup!
JohnVK
Getting the hang of things
Posts: 79
Joined: Sat Aug 22, 2009 5:14 am

Re: [HELP] Mismatched Address Certificate Error

Post by JohnVK »

Your welcome!

The certificate will be fully trusted if all of the names are configured correctly, so it will be green :)
User avatar
nuspieds
Know my way around
Posts: 133
Joined: Tue Jul 14, 2009 3:35 am
Location: Los Angeles

Re: [HELP] Mismatched Address Certificate Error

Post by nuspieds »

Q wrote:to get the bar green you would need to buy a EV SSL certificate from a issuer known by the web browser: http://en.wikipedia.org/wiki/Extended_V ... ertificate
Thanks for the info...that expense is not worth it for me, though, as I'm not hosting a site or anything.
User avatar
nuspieds
Know my way around
Posts: 133
Joined: Tue Jul 14, 2009 3:35 am
Location: Los Angeles

Re: [HELP] Mismatched Address Certificate Error

Post by nuspieds »

JohnVK wrote:Hope this helps nonetheless :wink:
Actually, it does! :D

Thanks a lot!

The command-line of OpenSSL prompts for Common Name but for SAN, as I just read in the documentation, itmust come from the configuration file. I'll definitely be playing around with it some more to see if I can get it to work.
User avatar
nuspieds
Know my way around
Posts: 133
Joined: Tue Jul 14, 2009 3:35 am
Location: Los Angeles

Re: [HELP] Mismatched Address Certificate Error

Post by nuspieds »

Hi JohnVK,

Success at last! :D

All along I was incorrectly specifying the CN. I had tried the sever name (which I use at home on my network), and then I edited the configuration file for openSSL to specify SANs using both IP and URIs...but all to no avail.

Then, after doing more research, I found out that I should be using the external server name (i.e., xxx.dyndns.org) for the CN. Actually, there was a time when I did specify this external name, but based on the examples I saw in the documentation, I had the name improperly formatted by including "http://".

Finally, what led me to fully diagnose the problem was when I stumbled onto this site: http://www.sslshopper.com/ssl-checker.html. It clearly told me what I needed to do and once I fixed the CN, everything subsequently worked. No more red bar with the mismatch error!

In the end, though, all that I needed to do was set the CN; I didn't have to worry about SANs.

Thanks again for your help!

-Nuspieds
JohnVK
Getting the hang of things
Posts: 79
Joined: Sat Aug 22, 2009 5:14 am

Re: [HELP] Mismatched Address Certificate Error

Post by JohnVK »

Great! :)

Yes, like I said, the CN (Common Name) must always match the external name. I did give an example (mail.domain.com) but I forgot to say to explicitly exclude the http:// part. Sorry about that! :wink:

Anyway, glad you got it sorted! :D And thanks for that sslchecker link. That's a nice one!
User avatar
nuspieds
Know my way around
Posts: 133
Joined: Tue Jul 14, 2009 3:35 am
Location: Los Angeles

Re: [HELP] Mismatched Address Certificate Error

Post by nuspieds »

JohnVK wrote:Yes, like I said, the CN (Common Name) must always match the external name. I did give an example (mail.domain.com) but I forgot to say to explicitly exclude the http:// part. Sorry about that! :wink:
No need to apologize because I wasn't referring to your example. :wink: I got caught up in the OpenSSL documentation and they included the "http://" all over the place, so that's what I was following. In addition, on my Windows system, I have two trusted certificates from valicert.com and both have the "http://" included in their CNs! Now you know why I was automaticallly including it with mine! :D
Post Reply

Return to “Turbo Station Installation & Setup”