LetsEncrypt Name Mismatch Error

Problem Description
Following on from the LetsEncrypt issue of having capital letters in the domain name (Cannot access plinth), I was then greeted with an SSL Certificate Name Mismatch Error. In Firefox, it will absolutely not allow one to continue, but in Internet Explorer (it has its uses) one is able to add an exception.

The Olimex Pioneer Freedombox is sitting behing a D-Link router, and has port-forwarding enabled. DMZ forwarding tends to mess things up (assuming it has to do with another issue relating to CGNAT which was mentioned in another forum issue).

Steps to Reproduce

  1. Fresh setup of freedombox
  2. setup DynDNS via gnudip
  3. use letsencrypt to cet certificate (using all lowercase)
  4. access domain

Expected Results
View freedombox landing page

Actual results
The warning read something like:
Cannot access .freedombox.rocks because the certificate has been issued for . Upon viewing the certificate, it says created by: issued to

Well, I assume it is the hostname that is being used, because it is the same name.

Screenshot
Not available. While fiddling to fix the issue, I attempted to rollback to an earlier install, and seem to have bricked the box. So now I just get a timeout error. Will need to flash again.

Information

  • FreedomBox version: latest, with updates
  • Hardware: Onimex Pioneer
  • How did you install FreedomBox?: Fresh flash of pioneer freedombox

I just re-flashed the box, and configured DynDNS through GNUDIP, and was greeted with a similar (although seemingly reversed) error. I was able to take screenshots, which are inluded. Sensitive info has been removed.
Any idea what this might be about? Is my firefox security too strict? I can’t seem to add an exception.

I tried with Chrome and was able to add an exception. It would seem as if my Firefox security is too strict or something. However, it doesn’t alter the initial issue.

Hello Gareth

I was then greeted with an SSL Certificate Name Mismatch Error. In Firefox, it will absolutely not allow one to continue, but in Internet Explorer (it has its uses) one is able to add an exception.

I think firefox behaves differently from internet explorer because firefox had already visited your website, and internet explorer had not.

Let assume you first had your freedombox working properly with let’s encrypt certificate correctly set up.
This setup also enables HSTS (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) on the server.

So when you visited your freedombox website with firefox at that time, the freedombox server added HTTP headers telling firefox “this server should only be accessed securely for the next 365 days”.

Then, when the letsencrypt misconfiguration occured and/or you reflashed, your freedombox started using a self-signed certificate again (considered less safe) and disabled HSTS.

Firefox refused to accept the (less safe) self-signed certificate, and did not let you add an exception because it was told to do so by the HSTS header earlier (and this holds for 365 days).

Internet Explorer, which presumably never connected to your freedombox website while HSTS was enabled, lets you add an exception.

On firefox, you can go tp Preferences > Privacy & Security > Cookie & Site Data > Manage Data.
and delete everything related to you freedombox domain name. It should then let you add an exception.

I hope it makes sense

Cheers

1 Like

Many thanks for the detailed explanation. It totally makes sense. I’ll try that today and let you know how it goes.

Solved! Thanks.
Initially nothing changed with Firefox after deleting certificates and cookies.
However, once I obtained a Lets Encrypt Certificate (I had thought this was the issue and had previously disabled/deleted it), there were no more problems.
It very much seems to have been a case of “turn it off and on again” :stuck_out_tongue: