-1
NET::ERR_CERT_COMMON_NAME_INVALID

This is the error that we're getting.

And it also says that "adguard has blocked access to this page".

What's the solution to this?

Would ssl pinning fix this issue of very few clients getting ssl errors?

https://developers.wultra.com/components/ssl-pinning-android/1.3.x/documentation/

There is an option to install CA cert on Android, but is it worth the hassle or is there something simpler and efficient?

schroeder
  • 129,372
  • 55
  • 299
  • 340
barnyard9
  • 143
  • 3
  • 1
    And what's the error? – schroeder Dec 05 '23 at 17:47
  • Issues like these are sometimes due to cross-signed certificates, where some devices are able to build a trust chain up to trusted root cert, but others are not. See https://security.stackexchange.com/questions/258190/what-could-cause-classic-err-cert-date-invalid-when-i-can-confirm-no-error-fro for a similar question. If it's possible for you to post the URL to the site where this problem is taking place, someone on here might be able to spot what the problem is. – mti2935 Dec 05 '23 at 18:12
  • @schroeder This client side ssl error is not logged on server, but only on client side. We don't put debug on client side as they'll be scared. – barnyard9 Dec 06 '23 at 01:20
  • ... then how do you expect to troubleshoot if you don't even know what's going on? – schroeder Dec 06 '23 at 08:13
  • you've ideas on how to put debug on ssl issues from code? – barnyard9 Dec 06 '23 at 08:26
  • After the edit, the problem is clear. These devices have a browser extension that uses its own TLS certificate to inspect traffic. Your site doesn't allow that. This can be easily looked up with the google search term: https://www.google.com/search?q=NET%3A%3AERR_CERT_COMMON_NAME_INVALID+adguard That's why it is important to get all the info before trying to troubleshoot (or asking others to troubleshoot). – schroeder Dec 16 '23 at 11:54
  • Ok, after the edit, does this mean that you looked this up, saw the reasons and the solutions, and you want more info? What have you tried? – schroeder Dec 17 '23 at 12:13

1 Answers1

1

It is unclear what error you exactly get - certificate validation error or some other SSL error. Unless you have more precise information already (in which case you should provide these in your question) you should add more debugging in your application to log what happens. This means especially logging the certificate in case of failed certificate validation and logging any other error details in case of other SSL errors.

The most common problems are:

  • The original certificate is served, but the client cannot verify it. This might be because the client does not have the issuer CA installed, which might be because the client is too old. It might also happen if the certificate is not yet valid or expired since the client has the wrong time. Pinning the certificate or public key instead (not in addition) to normal certificate validation might help here.
  • A different certificate is seen by the client than provided by the server. This happens in case of SSL interception in corporate proxies and similar. Pinning will not help. Instead the CA from the intercepting device need to be installed in the client.
  • Some other SSL error. Might be if the TLS stack in the client is to old (unsupported SSL versions and/or ciphers), some middlebox blocking access etc. Pinning will not help, the cause of the problem (old client, middlebox) needs to be fixed instead.
Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465