CN=localhost: Server Certificate Issues

TL;DR

Using a certificate with CN=localhost on a server intended for wider deployment is problematic and will cause errors in most browsers. You need a proper, publicly trusted or internally signed certificate that matches your server’s domain name or IP address.

Why CN=localhost Doesn’t Work

Certificates with Common Name (CN) set to localhost are specifically for testing and development environments. Browsers treat them as untrusted because:

• Security Risk: Localhost isn’t a real domain, so it can’t be verified by Certificate Authorities (CAs).
• Browser Restrictions: Modern browsers actively block or warn against connections to CN=localhost unless explicitly configured for testing.
• Not Valid for Production: A certificate tied to localhost won’t match the actual domain name users will use to access your server.

How to Fix It

Here’s a step-by-step guide to get a valid certificate for your server:

1. Choose a Domain Name

1. Register a Domain: If you don’t have one, register a domain name (e.g., yourdomain.com).
2. Use an IP Address: Alternatively, use your server’s public IP address if a domain isn’t feasible (though this is less common and can be problematic if the IP changes).

2. Obtain a Certificate

You have several options:

• Let’s Encrypt (Free): A popular choice for free, automatically renewed certificates.

  certbot --nginx -d yourdomain.com

  (This assumes you are using Nginx; adjust the command for your web server.)

• Commercial Certificate Authority: Purchase a certificate from providers like DigiCert, Sectigo, or GlobalSign.
• Internal Certificate Authority (For Internal Networks): If your server is only accessible within your organisation, create an internal CA and issue a certificate. This requires more setup but avoids costs.

3. Install the Certificate

The installation process varies depending on your web server:

• Nginx: Configure your Nginx virtual host file to point to your certificate and key files.

  server {
    listen 443 ssl;
    server_name yourdomain.com;
  
    ssl_certificate /path/to/your_certificate.pem;
    ssl_certificate_key /path/to/your_private_key.pem;
  }
  

• Apache: Modify your Apache virtual host configuration to include the certificate and key paths.

  <VirtualHost *:443>
    ServerName yourdomain.com
    DocumentRoot /var/www/html
  
    SSLEngine on
    SSLCertificateFile /path/to/your_certificate.pem
    SSLCertificateKeyFile /path/to/your_private_key.pem
  </VirtualHost>
  

4. Configure Your Server

1. Restart Web Server: Restart your web server (e.g., sudo systemctl restart nginx or sudo systemctl restart apache2) to apply the changes.
2. Firewall: Ensure your firewall allows traffic on port 443 (HTTPS).

5. Test Your Certificate

Use an online SSL checker tool (e.g., SSL Shopper) to verify your certificate installation and configuration.