[Bug]: DNS lookups in 14.2.x break sites using wss/https

[joelgriffith]

Bug description

Steps to reproduce the problem:

1. Install recent puppeteer versions.
2. Use puppeteer.connect({ browserWSEndpoint: 'wss://chrome.browserless.io' })
3. Receive SSL error since we (possibly most sites?) won't have an IP addresses in the HTTPS altnames:

I've traced it to this diff: https://github.com/puppeteer/puppeteer/compare/v14.1.2...v14.2.0#diff-483229840b8c0a75e846133dc211986ef957c8f103789a2f82edb47693242dafR22. I'm not sure if it's a good/standard practice to add an IP to altnames in these certificates or if it's something that bigger tools (like certbot) allow, but found it an oddity myself. It's possible an attacker could obtain that IP address and start handling requests with an IP versus trying to take over the DNS entry -- so I'm skeptical adding IP addresses to the altnames should be the solution here. We use a pretty "vanilla" letsencrypt setup, and I'm sure many others will run into this issue as well.

Here's a snippet of some code:

const puppeteer = require('puppeteer');

(async () => {
  const browser = await puppeteer.connect({
    browserWSEndpoint: 'wss://chrome.browserless.io',
  });

  const page = await browser.newPage();

  await page.goto('https://www.example.com/');
  console.log(await page.title());
  await browser.close();
})().catch((e) => console.error(e));

Which produces (shortened):

[Symbol(kError)]: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 159.89.220.85 is not in the cert's list: 
      at new NodeError (node:internal/errors:371:5)
      at Object.checkServerIdentity (node:tls:346:12)
      at TLSSocket.onConnectSecure (node:_tls_wrap:1540:27)
      at TLSSocket.emit (node:events:390:28)
      at TLSSocket._finishInit (node:_tls_wrap:944:8)
      at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) {
    reason: "IP: 159.89.220.85 is not in the cert's list: ",
    host: '159.89.220.85',

Puppeteer version

14.2.1

Node.js version

16.13.2

npm version

8.1.2

What operating system are you seeing the problem on?

macOS

Relevant log output

ErrorEvent {
  [Symbol(kTarget)]: WebSocket {
    _events: [Object: null prototype] { open: [Function], error: [Function] },
    _eventsCount: 2,
    _maxListeners: undefined,
    _binaryType: 'nodebuffer',
    _closeCode: 1006,
    _closeFrameReceived: false,
    _closeFrameSent: false,
    _closeMessage: <Buffer >,
    _closeTimer: null,
    _extensions: {},
    _paused: false,
    _protocol: '',
    _readyState: 3,
    _receiver: null,
    _sender: null,
    _socket: null,
    _bufferedAmount: 0,
    _isServer: false,
    _redirects: 0,
    _url: 'wss://159.89.220.85/?token=70abbadb-66e8-45cd-9c02-0bfb7457dd99',
    _originalSecure: true,
    _originalHost: '159.89.220.85',
    _req: null,
    [Symbol(kCapture)]: false
  },
  [Symbol(kType)]: 'error',
  [Symbol(kError)]: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 159.89.220.85 is not in the cert's list: 
      at new NodeError (node:internal/errors:371:5)
      at Object.checkServerIdentity (node:tls:346:12)
      at TLSSocket.onConnectSecure (node:_tls_wrap:1540:27)
      at TLSSocket.emit (node:events:390:28)
      at TLSSocket._finishInit (node:_tls_wrap:944:8)
      at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) {
    reason: "IP: 159.89.220.85 is not in the cert's list: ",
    host: '159.89.220.85',
    cert: {
      subject: [Object: null prototype],
      issuer: [Object: null prototype],
      subjectaltname: 'DNS:api.browserless.io, DNS:chrome.browserless.io',
      infoAccess: [Object: null prototype],
      modulus: '9A3B34794B6BF030D3A27176999C920A936AF028BE5ACE27E0A3B3310B337468F7CA346FDD24E839AEBCD52F0BAA155341496D47FEC7CC027060AAEEBD9E63803DB748AA95C4FD20B864D80C31C6FC0E51681D1CD0F62FF744DC6BE2743D76648C23A37DFB0F226DA8E947D574A7ECC80F7B0DB509F476AF70050D44B87F7CE649ABAB6973D7329A75FA2CC704D0F30AF8938D5F0974E0A2E0727D81A9719FE61E169E4933D09047A72F92E2C49BC226708C4FE72CC3885CE1786901C7DC3985C4BA56E78590E3DBC3D6F6F5D439CEFA446EC8B09C82D2C9A4737C4181753DF54862B1155F18409C4652A3CDF9627F6BCAC9C799CAAE5C910432F389AD9B0B07',
      bits: 2048,
      exponent: '0x10001',
      pubkey: <Buffer 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9a 3b 34 79 4b 6b f0 30 d3 a2 71 76 99 9c 92 0a 93 ... 244 more bytes>,
      valid_from: 'Jun  2 09:44:48 2022 GMT',
      valid_to: 'Aug 31 09:44:47 2022 GMT',
      fingerprint: '54:3C:76:19:B6:0C:97:FF:C9:72:DF:15:6B:18:F7:8E:44:DD:E6:8A',
      fingerprint256: '69:9B:7B:68:DB:DE:A6:FB:04:8D:3F:36:21:6A:73:9A:CF:A9:5C:6F:1A:75:A2:95:B4:C0:4F:F5:8D:FB:2E:5B',
      ext_key_usage: [Array],
      serialNumber: '0313FAD85AA3EB3BA9DB9BD144A3E1FC6B83',
      raw: <Buffer 30 82 05 44 30 82 04 2c a0 03 02 01 02 02 12 03 13 fa d8 5a a3 eb 3b a9 db 9b d1 44 a3 e1 fc 6b 83 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 32 ... 1302 more bytes>,
      issuerCertificate: [Object]
    },
    code: 'ERR_TLS_CERT_ALTNAME_INVALID'
  },
  [Symbol(kMessage)]: "Hostname/IP does not match certificate's altnames: IP: 159.89.220.85 is not in the cert's list: "
}

[unlikelyzero]

Seeing this as well

[jrandolf]

Sorry about this! We'll get the fix up and running in the next release. For now, please freeze 14.2.0 and wait till the next release (next week Monday)!

[kenho85]

I have the same issue as well, also running 14.2.1

[JClackett]

Thank god I found this issue, trying to track down the issue caused some stress, downgrading to 14.1.2 fixes it, 14.2.0 has the same error.