ajoo Posted April 22, 2020 Share Posted April 22, 2020 Hi all ! I have been trying to use selfsigned cerificate on my VM for testing. I have tried to do so by following the tutorial here and with utter failiure. No matter what I try, the selfsigned certificate simply won't change the URL bar to the safe green. I always end up with the "your connection is not private" message. The URL says not secure instead of the green padloc and the https is crossed out by 2 lines. it leaves me wondering if selfsigned certficates are not accepted by chrome or firefox any longer. Has anyone else suffered from a similar problem and can have some words of advice for me ! Thanks loads !! Quote Link to comment Share on other sites More sharing options...
ajoo Posted April 22, 2020 Author Share Posted April 22, 2020 The following is the error that In have been receiving. Quote Your connection is not private Attackers might be trying to steal your information from testnode.dev (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID Hopefully someone can suggest something. Thanks ! Quote Link to comment Share on other sites More sharing options...
requinix Posted April 22, 2020 Share Posted April 22, 2020 You will get the warning when your computer does not trust the signing authority. Which is the case for self-signed certificates. The certificate functions, it's just not trustworthy. You can download and store the public key on your computer and tell it to trust that. Or you can create a certificate signing authority, trust that, then have it create the cert. Or you can get a certificate by Let's Encrypt, if there's a way to get the domain name publicly exposed. Quote Link to comment Share on other sites More sharing options...
ajoo Posted April 23, 2020 Author Share Posted April 23, 2020 (edited) Hi requinix !! Thanks for the response ! I hope you are doing good. I have already read up on what you mention but i it's confusing. I have already generated a selfsignied certficate. On my VM localhost I have the following so far: At /etc/pki/tls/certs/ : testnode.csr, testnode.pem, testnode.conf and testnode.combined.pem At /etc/pki/tls/private/testnode.key Quote You can download and store the public key on your computer and tell it to trust that So do i need to download /etc/pki/tls/private/testnode.key from the VM onto my host computer ? On some of the questions answered on stack exchange, the mention a key like root_CA.key / root_CA.pem I don't know if that is the key you are talking about. I don't see that being generated on my computer. Quote Or you can create a certificate signing authority, trust that How can I do this ? Maybe a thread or an article / tutorial on this that you can point to. I'ld be happy. I will try out the Letsencrypt bit later with an actual domain. Thanks loads and keep safe. 🙏 Edited April 23, 2020 by ajoo Quote Link to comment Share on other sites More sharing options...
requinix Posted April 23, 2020 Share Posted April 23, 2020 Private keys are private. Keep them that way. IIRC you take the public key from the server and install it on your computer. Then, when your browser sees that and asks your computer what to do, your computer can say that it's trusted. For creating a certificate authority... nevermind. It's going to be too much work. Do the Let's Encrypt thing, or if you can't then the install thing. Quote Link to comment Share on other sites More sharing options...
ajoo Posted April 23, 2020 Author Share Posted April 23, 2020 Quote IIRC you take the public key 😕 so which is the public key !? surely you woudn't be referring to the public key of the server ?? where and how to install it on the computer ? Meanwhile I looked up another certificate issuer that professes to be there only for the localhost testing as of now, namely mkcert. It comes bundled with the trust authority and is easily installed. It is, except that the end result was still the same. Chrome did not accept and gave the same error as before. Sorry if my questions are too noobish but this is totally new to me. Thanks ! Quote Link to comment Share on other sites More sharing options...
kicken Posted April 23, 2020 Share Posted April 23, 2020 Keep in mind that if your web server is a different computer than the one your browsing on, you need to install the CA on the computer your browsing on, not the web server. The same may be true if it's the same computer but different user accounts. Quote Link to comment Share on other sites More sharing options...
ajoo Posted April 24, 2020 Author Share Posted April 24, 2020 Hi Kicken, Thanks for the reply. I have a VM instance on my computer so that makes the VM to be another computer. The certificates and the key are on the VM hosting the site as that's how they are placed by default there when they are be installed. Possibly the certificate, which i believe holds the key, needs to be uploaded to the main machine from where I browse the site and installed there as well for selfsigned certificates though I don't know for sure and I don't know where. Possibly in the trusted certificates somewhere in the control panel and possibly in the browser too. Maybe you can confirm or refute some of the points I make above. Thanks ! Quote Link to comment Share on other sites More sharing options...
requinix Posted April 24, 2020 Share Posted April 24, 2020 As a very simple and hopefully straightforward approach, try copying the certificate file to your computer and just seeing what sorts of things you can do with it. You assume you know how to right-click? Quote Link to comment Share on other sites More sharing options...
ajoo Posted April 24, 2020 Author Share Posted April 24, 2020 Hi ! SO i got the certificate to my windows machine and installed it. The hosts file on the machine has an entry for my locally hosted website. And while I got the padlock I got a 404 error message. I'ld like to mention that I am using vagrant to spin up 2 machines for me, a host and a server. I then use the host to setup the server using ansible. Thus my server is twice removed from my windows machine. I then copied the keys as suggested by requinix from the server to my windows machine and got the result shown above. I hope someone can suggest what issues could be causing this 404 error. Thanks ! Quote Link to comment Share on other sites More sharing options...
requinix Posted April 24, 2020 Share Posted April 24, 2020 The 404 has nothing to do with the SSL certificate. The problem is somewhere in your web server configuration. Quote Link to comment Share on other sites More sharing options...
ajoo Posted April 24, 2020 Author Share Posted April 24, 2020 Hi, could you please suggest where i may begin checking on my server? Thanks Quote Link to comment Share on other sites More sharing options...
requinix Posted April 24, 2020 Share Posted April 24, 2020 You begin checking the web server configuration. Web. I don't recommend starting with the cronjob or syslog configuration. Quote Link to comment Share on other sites More sharing options...
ajoo Posted April 25, 2020 Author Share Posted April 25, 2020 (edited) Thanks requinix, So while I got this working, strangely I still have httpd -t -c httpd.conf give the following :- and the file at is neither empty nor missing and is also the right format. Incidentally, this same certificate I used in my windows 10 that gave the lock. Also shouldn't a syntax error cause the server to not restart or reload? Any suggestions how this can be further invetigated? Anything else that I look into ? My logs, all of them are set to warn and were totally clear. Thanks loads ! Edited April 25, 2020 by ajoo Quote Link to comment Share on other sites More sharing options...
requinix Posted April 25, 2020 Share Posted April 25, 2020 7 hours ago, ajoo said: and the file at is neither empty nor missing I can't help but notice you had to sudo to access the file. Think about what that mmight mean. 7 hours ago, ajoo said: Also shouldn't a syntax error cause the server to not restart or reload? Maybe. Maybe not. I'm not the one who designed it. There might be a reason they made it just a warning. Quote Link to comment Share on other sites More sharing options...
ajoo Posted May 1, 2020 Author Share Posted May 1, 2020 hmm, 👍 Thank you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.