cancel
Showing results for 
Search instead for 
Did you mean: 
kbolt
Level 10
Report Inappropriate Content
Message 1 of 12

Chrome 58, ERR_CERT_COMMON_NAME_INVALID

Hello all, I'm having the same problem as explained here https://community.mcafee.com/thread/101734 (having problems with Chrome 58 and SSL rule Set)

The fix there was to re-generate the certificate. Chromium suggests "The solution is to re-generate the certificates to include a Subject Alternative Name extension, or to enable an option in Chrome to allow them."

I am using an internal Microsoft CA for my certificate needs. How would I re-generate a certificate to include SAN extension? Does this mean do over the cert for the MWG proxy? I don't see much option in either Active Directory Certificate Services or MWG's certificate handler for SAN extension. Help me understand this, please.

11 Replies
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 12

Re: Chrome 58, ERR_CERT_COMMON_NAME_INVALID

Hi Kbolt!

The issue is not with the CA you imported into the MWG. It has to do with the certificate that MWG generates (on-the-fly) when you visit an SSL site.

For allowed sites, MWG is generating a certificate that closely matches the original certificate (based on what it observed with the server). When MWG is blocking a site, it does not have the server certificate to reference, so it generates one generically. This generically generated cert does not include the altName extension. Dev is working on a fix for MWG to include the altNames, for the time being it might be best to rollout the GPO for the registry change until the patch is created.

The registry workaround is listed here:

Policy List - The Chromium Projects

It entails modifying this registry (valid until Chrome 65):

Software\Policies\Google\Chrome\EnableCommonNameFallbackForLocalAnchors

I tested the registry entry in my lab domain and it works. Here is what the Registry entry looked like in GPO Editor:

    

To validate the key existed on my workstation, I ran:

gpupdate /force

REG QUERY HKLM\SOFTWARE\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors

This returns something like this:

Under the hood, Chrome still doesnt like that its missing the cert (in the F12 tools), but I was able to get the block page normally:

    

Let me know if that helps.

Best Regards,

Jon

kbolt
Level 10
Report Inappropriate Content
Message 3 of 12

Re: Chrome 58, ERR_CERT_COMMON_NAME_INVALID

Thank you for the prompt reply! I'll try this out. I did however notice that I got the failure for pages that aren't supposed to be blocked. Example, Marketing dept access Facebook or IT dept accessing YouTube. Both of those resulted in ERR_CERT_COMMON_NAME_INVALID error. So it's a bit weird.

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 4 of 12

Re: Chrome 58, ERR_CERT_COMMON_NAME_INVALID

Hi Kbolt,

I'd be interested in a rule trace and a connection trace of examples where you unexpectedly get the warning (dont post it here, it'd be good to have a SR open).

If you have a case open say Jon might be interested in these things...

Best Regards,

Jon

feickholt
Level 10
Report Inappropriate Content
Message 5 of 12

Re: Chrome 58, ERR_CERT_COMMON_NAME_INVALID

We have this error alos on sites which does not generate a blocking page. (unfortunatly www.google.de)

kbolt
Level 10
Report Inappropriate Content
Message 6 of 12

Re: Chrome 58, ERR_CERT_COMMON_NAME_INVALID

This worked for me on a single test device. I'll have to work with the AD admins on getting this into group policy. Keep us posted and thanks again.

Highlighted

Re: Chrome 58, ERR_CERT_COMMON_NAME_INVALID

Hi Jon,

Any news on the hotfix for this issue?

Will it be available for 7.6 and 7.7 or just 7.7?

Thanks.

Vincent

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 8 of 12

Re: Chrome 58, ERR_CERT_COMMON_NAME_INVALID

Hi Vincent, it will be for both.

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 9 of 12

Re: Chrome 58, ERR_CERT_COMMON_NAME_INVALID

7.6.2.12 and 7.7.1.5 are now out which contain fixes for this issue.

kbolt
Level 10
Report Inappropriate Content
Message 10 of 12

Re: Chrome 58, ERR_CERT_COMMON_NAME_INVALID

Thank you, Jon. I'm in a weird transition period right now because my licence has expired and finance dept is working on paying for a new one. Will I be able to update with an expired licence?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community