Self sign certs got ERR_SSL_KEY_USAGE_INCOMPATIBLE

[Alceatraz Warprays]

Hello, And:

I'm using lastest PVE cluster.

Then, I create my own Root-CA, Middle-CA, Server Cert.

After upload, Chrome show "ERR_SSL_KEY_USAGE_INCOMPATIBLE" and "thisisunsafe" not working. But with nginx, Chrome can accept the cert.

So as far as I know, Chrome is very picky with ssl cipher algorithm. What config PVE api-server using ? And how to change it or workaround to make chrome accept?

Edit:

The cert contains SAn section

Edit2:

Firefox can accept my selfsigned cert, Only Chrome deny it.

Attachment:

1: OpenSSL Req section

basicConstraints     = critical, CA:false
keyUsage             = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage     = serverAuth
subjectAltName       = @alternate_names

2: Nginx config

    server {

        server_name _;

        listen 443 ssl default;

        # If enable TLSv3, Chrome will show ERR_SSL_KEY_USAGE_INCOMPATIBLE
       
        #        ssl_prefer_server_ciphers on;
        #        ssl_protocols TLSv1.2 TLSv1.3;
        #        ssl_ciphers HIGH:!aNULL:!MD5;
   
        ssl_session_timeout 60m;
        ssl_session_cache shared:SSL:60m;

        ssl_certificate "cert/chain.crt";
        ssl_certificate_key "cert/ssl.key";

        location / {
            proxy_pass https://10.100.10.210:8006;
        }
    }

 

[LnxBil]

Do you use also the SAN extension? A few years back, this was introduced and I needed to add this extension in order to get it to work with Chrome:

... -reqexts SAN -extensions SAN -config <(cat openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$NAME"))

 

[Alceatraz Warprays]

Do you use also the SAN extension? A few years back, this was introduced and I needed to add this extension in order to get it to work with Chrome:

... -reqexts SAN -extensions SAN -config <(cat openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$NAME"))

Yes, It has SAN section