I have an already long running website secured by self generated client-certificates. It has been working for years without any problems with any browser like IE, Firefox and Chrome.
Since the last Chrome Update (61.0.3163.100) the client certificates are rejected with following error message:
This site can’t provide a secure connection
my.domain.com didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT
And the site continues to work fine with any other browser!
And i can not find any relevant information out there.
I assume that chrome just raised the minimal requirements for the client certificates, as it did for server certificates a few months ago. but i have no glue how to fix it.
Any hint what is wrong with my certificates?
many thanks
UPDATE 15DEC2017
I still had problems and did not find any answer out there.
After a while i figured out that Chrome does not like the Client Certificates generated by openssl ca.
I was generating the Certificates so:
openssl ca -config openssl.cnf -extensions client -batch -in test.req -out test.cer
I tried everything but i was not able to make it to work with Chrome, but again, it worked with all other Browsers.
Now i am generating the Certificates so:
openssl x509 -req -in test.req -CA ca.cer -CAkey ca.key -extensions client -extfile openssl.cnf -CAserial ca.srl -out test.cer -sha256
And it works, if i compare the out of openssl x509 -in test.cer -noout -text, there is NO difference!! So i am wondering what Chrome does not like of openssl ca.
I would prefer to use openssl ca over openssl x509 since i can not use CRLs and i prefer also startdate/enddate over days.
Any ideas?
I was generating the Certificates so:
openssl ca -config openssl.cnf -extensions client -batch -in test.req -out test.cer
I tried everything but i was not able to make it to work with Chrome, but again, it worked with all other Browsers.
Now i am generating the Certificates so:
openssl x509 -req -in test.req -CA ca.cer -CAkey ca.key -extensions client -extfile openssl.cnf -CAserial ca.srl -out test.cer -sha256
And it works!
if i compare the out of openssl x509 -in test.cer -noout -text, there is NO difference!! So i am wondering what Chrome does not like of openssl ca.
I found this article on it from this website:https://productforums.google.com/forum/#!topic/chrome/TM0Tg0_YOvg
To solve this issue this :
try these steps ;
1) Rest browser by clearing out all data in internet options of IE..
2) Remove all certificates related to site you are trying access...Chrome shares IE cert
3) make sure that you have internet access afterwards.. if not check proxy settings if it applies
4) try to go to the same site again and if it prompts for certificate insert smart card or install cert.
5) if it does not work you can remove all certs from personal but be careful removing certs form intermediate and else where.
This error is the certificate has an problem on the local machine you are using.
for DOD users see https://militarycac.com/dodcerts.htm if there are more issues..I am able using the steps I posted to access DOD sites.. make sure you have installroot3a exe installed as well
Related
All of a sudden I seem to have an issue with Google Chrome using localhost.
I'm trying to access any of my development sites (using Ampps) and I get the following error:-
Your connection is not private Attackers might be trying to steal your
information from website.dev (for example, passwords, messages
or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID
When I visit any of the dev sites it is redirecting from http://website.dev to https://website.dev automatically. I'm not having any issue in Safari or Firefox so I don't understand what is going on.
I've tried re-installing Google Chrome, resetting it to the factory default settings...
I think it could be an issue with Keychain Access --> Certificates but wouldn't that mean it wouldn't work in Firefox and Safari if that was the case?
I've spent a while trying to find a solution but so far nothing has worked so I would appreciate some suggestions on how I can fix this. I can't even proceed passed this warning as I don't get the proceed link (insecure) as shown below:-
Navigate to
chrome://flags/#allow-insecure-localhost
and set this to enabled.
After playing around, I came up with one kind of a solution.
First, lets talk about the problem: the cause of this error is that both of us used a .dev domain for our local development. If you go here you will find out that root .dev domain is owned by Google and applying HSTS in Chrome they enforce https-redirect for this domain. Since we use .dev domains, we get redirected to https version and at the same time we don't have any actual certificates installed. So, we see this annoying error. If you go to chrome://net-internals/#hsts you can check your .dev domain and you will actually find out that
static_sts_domain: dev
static_upgrade_mode: FORCE_HTTPS
static_sts_include_subdomains: true
which confirms that HSTS is enforced on *.dev indeed. The policy type is static and, as I understand, it's kind of hard-coded to https-redirect .dev domains.
So, there are at least 2 ways - get and set up an actual certificate somehow or just use another (not .dev) root domain in httpd-vhosts.conf for your local development (also don't forget to update /etc/hosts and launch apache again). I went another root domain route and it solved this issue.
This is really annoying to deal with, but mapping the local website to something other than .dev (I personally use .devo) does work and fixes the problem in chrome. Also, you can add an exception for the page in Mozilla Firefox and not deal with this at all. It's only a problem on Chrome 63+
Best solution is to not use .dev because it owned by Google.
Here you can find an updated list of all claimed TLDs : https://www.rfc-editor.org/rfc/rfc6761
To be safe, choose an unclaimed TLD like .test or .localhost. You can read a useful blog post here : https://iyware.com/dont-use-dev-for-development/
I got same bug, because the CRL file is out of date, and the solution is that update the crl file
you need to add remote site certificate to your local key store
To download certificate from remote site, you will require keytool, open gitbash as admin and run below command to generate the certificate
openssl s_client -showcerts -connect host:port
save the value of above command to from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- to the .crt file.
to add certificate to your local key store, run below command
keytool -import -noprompt -trustcacerts -alias name_of_certificate -file "path_of_dot_crt_file" -keystore "C:\Program Files\Java\jdk1.8.0_192\jre\lib\security\cacerts" -storepass changeit
you can also add downloaded certificate to your browser.
In my case, in order to solve the issue so that I can "Proceed to unsafe",
I needed to go to:
chrome://net-internals/#sockets
then click: "Close idle sockets", "Flush socket pools"
Afterwards go to:
chrome://net-internals/#dns
Then click "Clear host cache"
If it still doesn't work and you are a mac user, try to repeat above after removing localhost certificates using Apple's Keychain Access tool
Is it possible to create a secure connection using motion? I have embedded my motion stream on an HTML page using Apache, but it will not display as it is an insecure iframe on a secure page. I can view the motion stream at
http://example.com:<Motion-Port>
but the embedded video at
https://example.com
will not display.
iFrame code:
<iframe src="http://example.com:<Motion-Port>" width="1300" height="740"></iframe>
The answer is to not use motion. It hasn't been updated in 3 years! Use ZoneMinder or iSpy instead.
I wish I had checked this before stubbornly pushing through Motion.
Yessir -- You can totally do this -- but you cannot do it with motion alone. Motion only does minimal auth. Essentially, it boils down to you need something to proxy the http stream, and wrap it in ssl.
Within node there is a somewhat dated package called mjpeg-proxy, which you can use as a middleware. https://github.com/vizzyy-org/mothership/blob/master/routes/cam.js#L27
Within java, you can do the same thing: make a call to your webserver which makes a call to the motion stream and then wraps the whole thing within an ssl connection back to the client. https://github.com/vizzyy-org/spring_react/blob/master/src/main/java/vizzyy/controller/VideoController.java#L54
Lastly, you can accomplish this with ngix or apache2. In apache, it's just as simple as setting up mutual auth and then proxy to the stream. Here's my apache config for 2-way ssl wrapping my stream
<VirtualHost *:443>
ServerAdmin somehost
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AE$
SSLCompression off
SSLSessionTickets off
SSLCertificateFile server-cert.pem
SSLCertificateKeyFile server-key.pem
SSLVerifyClient require
SSLCACertificateFile "ca-bundle-client.crt"
ProxyPass "/video" "http://stream.local:9002"
ProxyPassReverse "/video" "http://stream.local:9002"
</VirtualHost>
It is important to note that all three of the above options must occur within your LAN/VPC/Locally, as otherwise you are exposing your stream. You gotta proxy it within your trusted network, and then expose the wrapped stream to the outside net.
Motion is still actively maintained here (last commit 25 days ago), and I had a similar problem.
Motion allows us to use HTTPS with following settings:
# for web UI
webcontrol_tls on
webcontrol_cert /full/path/to/motion.crt
webcontrol_key /full/path/to/motion.key
# only for streams
# requires webcontrol_cert & webcontrol_key
stream_tls on
For local needs you can use it with self-signed certificate, as I did:
sudo apt -y install openssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out motion.crt -keyout motion.key
sudo chmod motion:motion motion.crt
sudo chmod motion:motion motion.key
Then edit motion.conf as described above and restart it.
Note: Motion will serve HTTPS only.
Hope it would help someone.
I try to install cosmos, on localhost, but i found a problem, I dont know to follow this steps.
First i create a certs and pem, but in step4 move the .pem i dont know that pem to move i have two pem. And I try to verify openssl verify -CApath /etc/pki/tls/certs .pem the two pem but dont work.
Step 3: generating and installing the master node's certificate
The platform requires a certificate for the master node, signed by a valid CA, is installed in order to be shown as an authentication proof. Thus, this certificate must be created by generating a Certificate Signing Request (CSR); do it once in the master node:
$ openssl req -newkey rsa:2048 -new -keyout newkey.pem -out newreq.pem
The above command will prompt for certain information; the most important information regarding the Cosmos platform is the name of the server (whichever hostname was chosen for the cosmos master node) where the certificate is going to be installed, and that the challenge password must be empty. Althought the PEM pass phrase must be empty (otherwise, the httpd server will not be automatically started), it has to be filled in this step and removed later by performing:
$ openssl rsa -in newkey.pem -out newkey.pem
Reached this point, you may choose among two options for signing the certificate:
Use a valid CA in the Internet. The content of the generated SCR (newreq.pem file) must be used within the CA in order to retrieve the final certificate, which will be typically called certnew.cer. The way each CA manages the CSR varies from one to another.
Self-signing the certificate. In this case, you have to perform this command:
$ openssl req -new -x509 -key newkey.pem -out certnew.cer
In any case, once the certificate (certnew.cer), key (newkey.pem) and CSR (newreq.pem) have been got, rename the files according to this (do it in all the machines):
$ cp newkey.pem [COSMOS_TMP_PATH]/puppet/modules/cosmos/files/environments/<my_environment>/certs/<cosmos-master-node>_key.pem
$ cp cernew.cer [COSMOS_TMP_PATH]/puppet/modules/cosmos/files/environments/<my_environment>/certs/<cosmos-master-node>_cer.pem
$ cp newreq.pem [COSMOS_TMP_PATH]/puppet/modules/cosmos/files/environments/<my_environment>/certs/<cosmos-master-node>_req.pem
Step 4: CA's certificate installation
The CA's certificate itself must be installed. Download it from the appropiate link (if you self-signed the master node's certificates, then such certificate is the CA's certificate as well) and do the following in the Cosmos master node:
Copy the CA's certificate (generic name <ca_cert>.pem) to the local certificates store and change directory to it:
$ mv <ca_cert>.pem /etc/pki/tls/certs
$ cd /etc/pki/tls/certs
Create a symbolic link for the CA's certificate. An 8-digit-number-based file will be created. It is very important the extension of this file is '.0':
$ ln -s <ca_cert>.pem `openssl x509 -hash -noout -in <ca_cert>.pem`.0
Verify the certificate has ben successfully installed:
$ openssl verify -CApath /etc/pki/tls/certs <ca_cert>.pem
xxxxxxxx.0: OK
You must see a 8-digit hash .0 file followed by "OK".
Alejandro, Cosmos is an enabler that is extremly recommended to use through the already deployed instance at FIWARE LAB. Please refer to this link in order to create an account and start working with it.
Domain: https://www.amz2btc.com
Analysis from SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=amz2btc.com
All my desktop browsers open this fine. Mobile Firefox opens this fine. Only when I tried with mobile Chrome did I get the error: err_cert_authority_invalid
I know very little about SSL, so I can't really make sense of the SSL report or why this error is coming up. If someone could ELI5, that would be ideal. :)
I just spent the morning dealing with this. The problem wasn't that I had a certificate missing. It was that I had an extra.
I started out with my ssl.conf containing my server key and three files provided by my SSL certificate authority:
# Server Certificate:
SSLCertificateFile /etc/pki/tls/certs/myserver.cer
# Server Private Key:
SSLCertificateKeyFile /etc/pki/tls/private/myserver.key
# Server Certificate Chain:
SSLCertificateChainFile /etc/pki/tls/certs/AddTrustExternalCARoot.pem
# Certificate Authority (CA):
SSLCACertificateFile /etc/pki/tls/certs/InCommonServerCA.pem
It worked fine on desktops, but Chrome on Android gave me err_cert_authority_invalid
A lot of headaches, searching and poor documentation later, I figured out that it was the Server Certificate Chain:
SSLCertificateChainFile /etc/pki/tls/certs/AddTrustExternalCARoot.pem
That was creating a second certificate chain which was incomplete. I commented out that line, leaving me with
# Server Certificate:
SSLCertificateFile /etc/pki/tls/certs/myserver.cer
# Server Private Key:
SSLCertificateKeyFile /etc/pki/tls/private/myserver.key
# Certificate Authority (CA):
SSLCACertificateFile /etc/pki/tls/certs/InCommonServerCA.pem
and now it's working on Android again. This was on Linux running Apache 2.2.
I had this same problem while hosting a web site via Parse and using a Comodo SSL cert resold by NameCheap.
You will receive two cert files inside of a zip folder:
www_yourdomain_com.ca-bundle
www_yourdomain_com.crt
You can only upload one file to Parse:
Parse SSL Cert Input Box
In terminal combine the two files using:
cat www_yourdomain_com.crt www_yourdomain_com.ca-bundle > www_yourdomain_com_combine.crt
Then upload to Parse. This should fix the issue with Android Chrome and Firefox browsers. You can verify that it worked by testing it at https://www.sslchecker.com/sslchecker
For those having this problem on IIS servers.
Explanation: sometimes certificates carry an URL of an intermediate certificate instead of the actual certificate. Desktop browsers can DOWNLOAD the missing intermediate certificate using this URL. But older mobile browsers are unable to do that. So they throw this warning.
You need to
1) make sure all intermediate certificates are served by the server
2) disable unneeded certification paths in IIS - Under "Trusted Root Certification Authorities", you need to "disable all purposes" for the certificate that triggers the download.
PS. my colleague has wrote a blog post with more detailed steps: https://www.jitbit.com/maxblog/21-errcertauthorityinvalid-on-android-and-iis/
The report from SSLabs says:
This server's certificate chain is incomplete. Grade capped to B.
....
Chain Issues Incomplete
Desktop browsers often have chain certificates cached from previous connections or download them from the URL specified in the certificate. Mobile browsers and other applications usually don't.
Fix your chain by including the missing certificates and everything should be right.
I hope i am not too late, this solution here worked for me, i am using COMODO SSL, the above solutions seem invalid over time, my website lifetanstic.co.ke
Instead of contacting Comodo Support and gain a CA bundle file You can do the following:
When You get your new SSL cert from Comodo (by mail) they have a zip file attached. You need to unzip the zip-file and open the following files in a text editor like notepad:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
Then copy the text of each ".crt" file and paste the texts above eachother in the "Certificate Authority Bundle (optional)" field.
After that just add the SSL cert as usual in the "Certificate" field and click at "Autofil by Certificate" button and hit "Install".
Inspired by this gist: https://gist.github.com/ipedrazas/6d6c31144636d586dcc3
I also had a problem with the chain and managed to solve using this guide https://gist.github.com/bradmontgomery/6487319
if you're like me who is using AWS and CloudFront, here's how to solve the issue. it's similar to what others have shared except you don't use your domain's crt file, just what comodo emailed you.
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
this worked for me and my site no longer displays the ssl warning on chrome in android.
A decent way to check whether there is an issue in your certificate chain is to use this website:
https://www.digicert.com/help/
Plug in your test URL and it will tell you what may be wrong. We had an issue with the same symptom as you, and our issue was diagnosed as being due to intermediate certificates.
SSL Certificate is not trusted
The certificate is not signed by a trusted authority (checking against
Mozilla's root store). If you bought the certificate from a trusted
authority, you probably just need to install one or more Intermediate
certificates. Contact your certificate provider for assistance doing
this for your server platform.
I solved my problem with this commands:
cat __mydomain_com.crt __mydomain_com.ca-bundle > __mydomain_com_combine.crt
and after:
cat __mydomain_com_combine.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > mydomain.pem
And in my domain nginx .conf I put on the server 443:
ssl_certificate ssl/mydomain.pem;
ssl_certificate_key ssl/mydomain.private.key;
I don't forget restart your "Nginx"
service nginx restart
I had the same probleme but the response made by Mike A helped me to figure it out:
I had a my certificate, an intermediate certificate (Gandi) , an other intermediate (UserTrustRSA) and finally the RootCA certificate (AddTrust).
So first i made a chain file with Gandi+UserTrustRSA+AddTrust and specified it with SSLCertificateChainFile. But it didn't worked.
So i tried MikeA answer by just putting AddTruct cert in a file and specified it with SSLCACertificateFile and removing SSLCertificateChainFile.But it didn't worked.
So finnaly i made a chain file with only Gandi+UserTrustRSA specified by SSLCertificateChainFile and the other file with only the RootCA specified by SSLCACertificateFile and it worked.
# Server Certificate:
SSLCertificateFile /etc/ssl/apache/myserver.cer
# Server Private Key:
SSLCertificateKeyFile /etc/ssl/apache/myserver.key
# Server Certificate Chain:
SSLCertificateChainFile /etc/ssl/apache/Gandi+UserTrustRSA.pem
# Certificate Authority (CA):
SSLCACertificateFile /etc/ssl/apache/AddTrust.pem
Seems logical when you read but hope it helps.
I guess you should install CA certificate form one if authority canter:
ssl_trusted_certificate ssl/SSL_CA_Bundle.pem;
Just do the following for Version 44.0.2403.155 dev-m
Privacy -->Content settings -->Do not allow any site to run JavaScript
Problem Solved
I have created a basic Chrome extension and it generated a key.pem file.
Is there anyway to password protect the key.pem file so I get prompted each time I want to install this extenions on Google Chrome?
I've tried using the following; where I enter a password used to protect the file, but when I try to package this extension it says "invalid private key"
openssl genrsa -des3 -out key.pem 2048
Any help is appreciated.
Thanks
Does this thread help?
http://productforums.google.com/d/msg/chrome/bKoAAPX4iVA/aXZ_Cy0TJ3kJ
I'm not sure if this still works with the latest Chrome, but it was posted October 2012 so it probably does.
Hope this helps :)
Edit: sorry if this is completely not what you were hoping for :)