Skip to main content
Announcements
Qlik Introduces a New Era of Visualization! READ ALL ABOUT IT

ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificate

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Anonymous
Not applicable

ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificate

Last Update:

Apr 16, 2021 7:36:48 AM

Updated By:

Sonja_Bauernfeind

Created date:

Mar 1, 2017 7:59:46 PM

Qlik Sense Enterprise for Windows will by default use a self-signed certificate to allow for the use of HTTPS when accessing the Management Console (QMC) or the Hub. 

QlikView will always use HTTP by default, but a 3rd party certificate can be installed to enable HTTPS. See QlikView AccessPoint and QMC with HTTPS and a custom SSL certificate.

In Qlik Sense, this self-signed certificate will lead to browsers showing "Not Secure" as in this screenshot:

User-added image


After implementing a 3rd party or private CA certificate, the QMC and Hub will begin to show the connection as "Secure":

User-added image

If the client implements the new certificate and still receives the error ERR_CERT_COMMON_NAME_INVALID, it is possible that the expected domain in the certificate and the domain listed in the URL do not match.


User-added image

Environment:

  • Qlik Sense Enterprise all versions
  • QlikView all versions

 

Resolution:

 

Unsupported TLS version or ciphers?

Verify that the Windows Server hosting QlikView does not have obsolete TLS versions installed which the browser does not support.


Does the URL match the certificate?

Check that the URL being used and ensure that it matches the Fully Qualified Domain Name (FQDN) issued to the certificate.

For example, if a certificate is issued to qliksense.company.com, users can still access the QMC / Hub using the server name only (qliksense) but the web browser will produce a warning about a mismatch between qliksense/hub/ and qliksense.company.com/hub/

In Qlik Sense, if you are concerned about whether a certificate is correctly bound, then inspect the Security_Proxy log in C:\ProgramData\Qlik\Sense\Log\Proxy\Trace. An example of a success binding of a certificate to the Proxy will look like:

Domain\qs_admin    Set certificate 'CN=*.company.com, OU=PremiumSSL Wildcard, O=ACME, STREET="88 Broadway, Bldg 14", L=New York, S=ON, PostalCode=90213, C=CA' (D09777777738C5A799999994F9555AFF588888) 
 

 

Does the Subject Alternative Name match?

Another important cause of this error is: the URL used in the browser does not match "Subject Alternative Name" in the certificate.



User-added image

In most browsers, when verifying the website's identity, SubjectAlternativeName(SAN) is used first. If absent, then it falls back to Subject (or known as "Common Name" which is typically the same as "Issue to").
Since Google Chrome v58, this falling back behavior is dropped. So if an SAN does not match URL, or SAN does not exist at all, ERR_CERT_COMMON_NAME_INVALID error will happen.

Recommendation:

  1. Use the FQDN which align with the certificate
  2. Acquire a new certificate to include the appropriate SAN to match the URL which users will use to access Qlik Sense
  3. Have TLS versions/ciphers up to date. See SSL & TLS Support in QlikView - How to configure QlikView and TLS  

 

Cause:

 

The FQDN does not align with the certificate.

 

Related Content:

Qlik Sense Hub and QMC with custom SSL certificate 
How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate
Qlik Sense: Compatibility information for third-party SSL certificates to use with HUB/QMC
Requirements for configuring Qlik Sense with SSL
Qlik Sense: Couldn't find a valid ssl certificate with thumbprint in Proxy logs, the third party cer...

Labels (1)
Comments
BrunPierre
Partner - Master
Partner - Master

How would you resolve this same error in QlikView environment?

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @BrunPierre  

The error is universal and by itself not connected to Qlik Sense.

"Check that the URL being used and ensure that it matches the Fully Qualified Domain Name (FQDN) issued to the certificate." applies regardless of what product (Qlik Sense, QlikView, or any other product using a certificate not even related to Qlik) is being used.

I will rewrite the article to reflect this. 

Version history
Last update:
‎2021-04-16 07:36 AM
Updated by: