Failed to load resources when accessing remote HTTPS webpage

[Matt Brossett]

We have an embedded device that host a configuration webpage using HTTPS. We have no problems loading and browsing the webpage across the local network using any browser. However, when we attempt to access the webpage remotely, such as when the device is connected to a cellular gateway, Chrome will fail to load some resources (see attached). We do not have these issues using IE/Edge, Firefox, or Safari. It appears this issue is unique to Chrome. We also tested with TLS disabled (HTTP) and did not experience these issues. Has anyone experienced this problem with Chrome? Does anyone have any ideas?

[Jon Perryman]

Did you try opening developer tools. Maybe console has a message or maybe networking tab shows something. If running chrome under android, then you will need to install android studio and use developer tools remotely.

Regards, Jon.

On Fri, Sep 29, 2017 at 5:57 AM, Matt Brossett <matt.b...@gmail.com> wrote:

We have an embedded device that host a configuration webpage using HTTPS. We have no problems loading and browsing the webpage across the local network using any browser. However, when we attempt to access the webpage remotely, such as when the device is connected to a cellular gateway, Chrome will fail to load some resources (see attached). We do not have these issues using IE/Edge, Firefox, or Safari. It appears this issue is unique to Chrome. We also tested with TLS disabled (HTTP) and did not experience these issues. Has anyone experienced this problem with Chrome? Does anyone have any ideas?

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.

[Matt Brossett]

The image I attached is a screenshot of the developed tools. The message is net:err_connection_aborted. I am running on windows 7. 

[Jon Perryman]

Sorry, I never received the attachment.  As for err_connection_aborted, there are several possible causes. Since you say it's related to chrome, the easiest to check is disabling extensions to see if you have one that is causing the problem. Maybe clear your SSL certificates in case they are bad. It sounds like you are having some sort of SSL problem since HTTP works correctly. Maybe try it on a different platform to see if it's windows related or chrome related.

Good luck, Jon.

[Matt Brossett]

I am able to access the page without errors using Linux (Raspbian), iOS, and Android. So yes it appears to be an issue related to the Windows build of Chrome.

Matt

[PhistucK]

You might be able to get a bit more information using chrome://net-internals.

☆PhistucK

On Mon, Oct 2, 2017 at 4:15 PM, Matt Brossett <matt.b...@gmail.com> wrote:

I am able to access the page without errors using Linux (Raspbian), iOS, and Android. So yes it appears to be an issue related to the Windows build of Chrome.

Matt

--

[Matt Brossett]

It appears my issue is similar to this post... https://bugs.chromium.org/p/chromium/issues/detail?id=459210

I am using a valid (self-signed) certificate, and the CA cert is installed on the PC. However, since the device is being accessed by its IP address, I get the following error...  net_error = -200 (ERR_CERT_COMMON_NAME_INVALID). This error shouldn't cause resources to fail to load but it appears it does. To prove this I added to the Windows Host File an IP address to host name mapping with the common name from the security certificate. After doing so, I restarted the browser and used the host name to access the web page and all the resources loaded without issue.

So it appears that Chrome is not properly handling the ERR_CERT_COMMON_NAME_INVALID error. The browser should allow the webpage to be accessed even with this error. A person should not have to place an entry in the host file to browse to a secure webpage. Can someone look into why Chrome is doing this and fix the issue?

[Torne (Richard Coles)]

What makes you believe that CERT_COMMON_NAME_INVALID shouldn't cause resources to fail to load? If the name is invalid then the cert isn't valid and the HTTPS connection is not secure. What you describe appears to be normal correct behaviour.

--

[Matt Brossett]

We are using a self-signed certificate to create an encrypted connection. The browser will not consider this "secure" as it does not have a method to verify the identity of the server, nor will it be able to verify the certificate was signed by a trusted CA (unless the CA cert is installed) and this is expected. Chrome will present a warning to the user so that they understand the risks and give them the option to continue. By proceeding, an encrypted communication channel should be established and the page should load without errors and this is how Firefox, IE/Edge, and Safari perform. Why would Chrome give the user the option to continue if it's just going to fail to load the page resources? So yes, I do believe net::ERR_CERT_COMMON_NAME_INVALID shouldn't cause the resources to fail to load. 

[Torne (Richard Coles)]

You said the CA cert was installed on the PC, though, and what you described in your previous message didn't mention clicking through a security interstitial. The screenshot of developer tools you attached earlier in the thread also appears to just be a thumbnail and not the full image - it's impossible to see any details in it.

If you're getting a security interstitial and clicking through it, then yes, I expect that other resources whose connections are to the same server and get the same cert would also work. If the subresources are on a different server, then I wouldn't expect the click-through to apply to them. It's hard to follow exactly what your situation is here; maybe you could repost the screenshot or provide a test?

On Tue, 3 Oct 2017 at 15:15 Matt Brossett <matt.b...@gmail.com> wrote:

We are using a self-signed certificate to create an encrypted connection. The browser will not consider this "secure" as it does not have a method to verify the identity of the server, nor will it be able to verify the certificate was signed by a trusted CA (unless the CA cert is installed) and this is expected. Chrome will present a warning to the user so that they understand the risks and give them the option to continue. By proceeding, an encrypted communication channel should be established and the page should load without errors and this is how Firefox, IE/Edge, and Safari perform. Why would Chrome give the user the option to continue if it's just going to fail to load the page resources? So yes, I do believe net::ERR_CERT_COMMON_NAME_INVALID shouldn't cause the resources to fail to load. 

--

[Matt Brossett]

I apologize for not mentioning clicking through the security interstitial as I thought this goes without saying. It is understood the page will not load any resources if a person does not accept the security warning and proceed to the webpage. That being said, I did click "proceed" on the security interstitial at one point and Chrome has remembered it since. The CA cert is installed on this particular PC, although I have another test PC without the CA installed. With or without the CA cert installed the security interstitial will appear as the device is accessed using a static IP address over the WAN.

All resources are served from the embedded device, images, fonts, jquery, etc. Regarding the screenshot of the network tab of the developer tool page, there isn't much else to show. The items that failed do not have a response as the connection was aborted by the PC. If there is something specific you would like to see I would be happy to share I just wasn't sure if there was anything else useful. I currently have the device on a static IP address and do not want to post that here. This issue should be pretty easy to replicate with other embedded devices, though. However, to properly replicate the issue you will need to access your device from across the internet.

[Matt Brossett]

Here is a link to a test. I will leave this up for a couple days.

https://tankmonitor.ddns.net:5001

Open the configuration page and you should see resources fail to load in the network tab of the developer tools window. The credentials are admin, password. Please try this when you get a chance.

[Torne (Richard Coles)]

I tried this and after proceeding through the certificate error interstitial it all seemed to work; no resource load failures in the console or network tab while clicking around the site, using chrome 61.0.3163.100 on linux. I also tried importing the certificate to try to get into the state you described where it's just the name that's invalid, but the cert store on my linux machine refuses to accept that cert as valid at all (chrome will only import it into the "other" tab, which doesn't trust it).

It looks like it's down now?

--

[Matt Brossett]

As stated in a previous post I have only ever experienced the issue in Windows. I rebooted the server, try again with a Windows machine.

[Torne (Richard Coles)]

I don't have a Windows machine and am not familiar with how certificate validation is done there; sorry, I don't think I can help then.

On Thu, 5 Oct 2017 at 14:08 Matt Brossett <matt.b...@gmail.com> wrote:

As stated in a previous post I have only ever experienced the issue in Windows. I rebooted the server, try again with a Windows machine.

--

[ero...@chromium.org]

ERR_CERT_COMMON_NAME_INVALID suggests the issue is use of a self-signed certificate that lacks a SAN:

https://bugs.chromium.org/p/chromium/issues/detail?id=700595

If that is the case, your best option is to re-generate this certificate so it includes a SAN.

If regenerating the certificate is not an option, you can alternatively instruct Chrome to accept such certificates using the policy:

https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors

If that is not the issue you are experiencing, then please file a bug report at http://crbug.com/new.

In the bug report include a Net Log dump that capture events when you experience the error.

(Of particular interest, I need to see the certificate itself, which will be in the netlog dump).

The bug report should be tagged with the component 

Internals>Network>Certificate to reach the correct triage queue.

Cheers.