The fix there was to re-generate the certificate. Chromium suggests "The solution is to re-generate the certificates to include a Subject Alternative Name extension, or to enable an option in Chrome to allow them."
I am using an internal Microsoft CA for my certificate needs. How would I re-generate a certificate to include SAN extension? Does this mean do over the cert for the MWG proxy? I don't see much option in either Active Directory Certificate Services or MWG's certificate handler for SAN extension. Help me understand this, please.
The issue is not with the CA you imported into the MWG. It has to do with the certificate that MWG generates (on-the-fly) when you visit an SSL site.
For allowed sites, MWG is generating a certificate that closely matches the original certificate (based on what it observed with the server). When MWG is blocking a site, it does not have the server certificate to reference, so it generates one generically. This generically generated cert does not include the altName extension. Dev is working on a fix for MWG to include the altNames, for the time being it might be best to rollout the GPO for the registry change until the patch is created.
The registry workaround is listed here:
It entails modifying this registry (valid until Chrome 65):
I tested the registry entry in my lab domain and it works. Here is what the Registry entry looked like in GPO Editor:
To validate the key existed on my workstation, I ran:
REG QUERY HKLM\SOFTWARE\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors
This returns something like this:
Under the hood, Chrome still doesnt like that its missing the cert (in the F12 tools), but I was able to get the block page normally:
Let me know if that helps.
Thank you for the prompt reply! I'll try this out. I did however notice that I got the failure for pages that aren't supposed to be blocked. Example, Marketing dept access Facebook or IT dept accessing YouTube. Both of those resulted in ERR_CERT_COMMON_NAME_INVALID error. So it's a bit weird.
I'd be interested in a rule trace and a connection trace of examples where you unexpectedly get the warning (dont post it here, it'd be good to have a SR open).
If you have a case open say Jon might be interested in these things...
This worked for me on a single test device. I'll have to work with the AD admins on getting this into group policy. Keep us posted and thanks again.
Thank you, Jon. I'm in a weird transition period right now because my licence has expired and finance dept is working on paying for a new one. Will I be able to update with an expired licence?