selfsigned nightmares !

[ajoo]

Hi all !

I have been trying to use selfsigned cerificate on my VM for testing. I have tried to do so by following the tutorial here and with utter failiure. No matter what I try, the selfsigned certificate simply won't change the URL bar to the safe green. I always end up with the "your connection is not private" message. The URL says not secure instead of the green padloc and the https is crossed out by 2 lines. it leaves me wondering if selfsigned certficates are not accepted by chrome or firefox any longer. Has anyone else suffered from a similar problem and can have some words of advice for me ! 

Thanks loads !! 

  

[ajoo]

The following is the error that In have been receiving. 

Quote

Your connection is not private

Attackers might be trying to steal your information from testnode.dev (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID

Hopefully someone can suggest something.

Thanks !

[requinix]

You will get the warning when your computer does not trust the signing authority. Which is the case for self-signed certificates. The certificate functions, it's just not trustworthy.

You can download and store the public key on your computer and tell it to trust that. Or you can create a certificate signing authority, trust that, then have it create the cert. Or you can get a certificate by Let's Encrypt, if there's a way to get the domain name publicly exposed.

[ajoo]

Hi requinix !!

Thanks for the response ! I hope you are doing good. 

I have already read up on what you mention but i it's confusing.

I have already generated a selfsignied certficate. On my VM localhost I have the following so far:

At /etc/pki/tls/certs/ : testnode.csr, testnode.pem, testnode.conf and testnode.combined.pem

At /etc/pki/tls/private/testnode.key 

Quote

You can download and store the public key on your computer and tell it to trust that

So do i need to download /etc/pki/tls/private/testnode.key from the VM onto my host computer ? On some of the questions answered on stack exchange, the mention a key like root_CA.key / root_CA.pem I don't know if that is the key you are talking about. I don't see that being generated on my computer.

Quote

Or you can create a certificate signing authority, trust that

How can I do this ? Maybe a thread or an article / tutorial on this that you can point to. I'ld be happy. 

I will try out the Letsencrypt bit later with an actual domain.

Thanks loads and keep safe. 🙏

 

 

Edited April 23, 2020 by ajoo

[requinix]

Private keys are private. Keep them that way. IIRC you take the public key from the server and install it on your computer. Then, when your browser sees that and asks your computer what to do, your computer can say that it's trusted.

For creating a certificate authority... nevermind. It's going to be too much work. Do the Let's Encrypt thing, or if you can't then the install thing.

[ajoo]

Quote

IIRC you take the public key

😕 so which is the public key !? surely you woudn't be referring to the public key of the server ?? where and how to install it on the computer ?

Meanwhile I looked up another certificate issuer that professes to be there only for the localhost testing as of now, namely mkcert. It comes bundled with the trust authority and is easily installed. It is, except that the end result was still the same. Chrome did not accept and gave the same error as before. 

Sorry if my questions are too noobish but this is totally new to me.

Thanks ! 

[kicken]

Keep in mind that if your web server is a different computer than the one your browsing on, you need to install the CA on the computer your browsing on, not the web server.  The same may be true if it's the same computer but different user accounts.

 

[ajoo]

Hi Kicken, 

Thanks for the reply. 

I have a VM instance on my computer so that makes the VM to be another computer. The certificates and the key are on the VM hosting the site as that's how they are placed by default there when they are be installed. Possibly the certificate, which i believe holds the key, needs to be uploaded to the main machine from where I browse the site and installed there as well for selfsigned certificates though I don't know for sure and I don't know where. Possibly in the trusted certificates somewhere in the control panel and possibly in the browser too. 

Maybe you can confirm or refute some of the points I make above. Thanks !    

[requinix]

As a very simple and hopefully straightforward approach, try copying the certificate file to your computer and just seeing what sorts of things you can do with it. You assume you know how to right-click?

[ajoo]

Hi !

SO i got the certificate to my windows machine and installed it. The hosts file on the machine has an entry for my locally hosted website. And while I got the padlock I got a 404 error message. 

 

I'ld like to mention that I am using vagrant to spin up 2  machines for me, a host and a server.  I then use the host to setup the server using ansible. Thus my server is twice removed from my windows machine. I then copied the keys as suggested by requinix from the server to my windows machine and got the result shown above. 

I hope someone can suggest what issues could be causing this 404 error.

Thanks !

 

[requinix]

The 404 has nothing to do with the SSL certificate. The problem is somewhere in your web server configuration.

[ajoo]

Hi, could you please suggest where i may begin checking on my server?

Thanks

 

[requinix]

You begin checking the web server configuration. Web. I don't recommend starting with the cronjob or syslog configuration.

[ajoo]

Thanks requinix, 

So while I got this working, strangely I still have   

httpd -t -c httpd.conf give the following :-

and the file at 

 is neither empty nor missing and is also the right format. Incidentally, this same certificate I used in my windows 10 that gave the lock.

Also shouldn't a syntax error cause the server to not restart or reload? 

Any suggestions how this can be further invetigated? Anything else that I look into ? My logs, all of them are set to warn and were totally clear. 

Thanks loads ! 

Edited April 25, 2020 by ajoo

[requinix]

7 hours ago, ajoo said:

and the file at 

 is neither empty nor missing

I can't help but notice you had to sudo to access the file. Think about what that mmight mean.

7 hours ago, ajoo said:

Also shouldn't a syntax error cause the server to not restart or reload?

Maybe. Maybe not. I'm not the one who designed it. There might be a reason they made it just a warning.

[ajoo]

hmm, 👍 

Thank you.