Chromium (Chrome, Brave) on mobile stopped trusting my local LetsEncrypt certificates - ssl

I have registered a wildcard certificate for *.dev.example.com which I use on my locally installed nginx server, to serve websites and to be able to test them on all devices, Android, iOS, etc...
The workflow is as follow (briefly)
The routers dnsmasq is configured to route all *.dev.example.com requests to 192.168.1.xxx
192.168.1.xxx runs nginx, which is configured to use the wildcard certificates for *.dev.example.com
Accessing https://dev.example.com and https://xxx.dev.example.com from any device within the LAN worked without problems.
Now, since of today, Google (Brave) are denying the certificate and won't request the URL properly -> nginx returns File not found
If I call the URL from an Android REST-client (like Restler), or Firefox or Opera, everything works as expected.
Has anything changed in Chromium regarding this manner?

The problem was, that Brave had Use secure DNS enabled (maybe through a recent update), which circumvented my router's DNS settings.

Related

SEC_ERROR_UNKNOWN_ISSUER (FireFox) / NET::ERR_CERT_AUTHORITY_INVALID (IE) at local Webserver

I am running a twiki installation on a Centos9 server that is accessible from our own network via http://twiki.
It is not accessible from outside.
I regularly get the warning SEC_ERROR_UNKNOWN_ISSUER (Firefox) or NET::ERR_CERT_AUTHORITY_INVALID (Internet Explorer, Edge). Of course I can ignore the warning, but after a while it pops up again and that's quite annoying for me.
What can I do to prevent this? I don't actually need https, http would suffice, but I always get redirected to the https version. Is this something the browser does? Or can I configure the web server (Apache) to prevent this?
To be honest, I'm not really a webmaster or network expert. I just need to get the Twiki working. What I've found out so far is that I'm getting the warning because I self-signed my SSL certificate and there is no known trusted author. I also can't get a signed SSL certificate because my server doesn't have a domain like .com or something.
If possible, I would prefer a solution on the server so that each user doesn't have to configure their browser

ERR_SSL_PROTOCOL and SSL_ERROR_RX_RECORD_TOO_LONG with a specific ISP only

When accessing https://mcgillcrm.com some users are seeing this in chrome: ERR_SSL_PROTOCOL and this is firefox: SSL_ERROR_RX_RECORD_TOO_LONG
But it only happens when they access the site through a specific ISP (Videotron).
When the site is accessed via a hotspot or when connected to a different ISP it works fine and it also works if the user is using Windows machine instead of a Mac.
I verified SSL labs, checked port 443 and compared against another site where it doesn't throw this error and everything seems fine.
We have a 301 redirect towards https and I double checked that users really type https:// when accessing the web-site, but it still doesn't work.
How is the connection done to the ISP vs. how is the connection done to a different ISP or mobile network
Mac user connects to the wireless modem: SSL errors come up
Mac user connects to the wireless mobile hotspot: No error comes up
Update 12 Oct 2022
We re-installed a new certificate from scratch and this one is not showing 'self signed' anywhere. Will see if it helps.
HTTPS is end to end encryption and integrity protection. It should not depend on the ISP used by the client. If it is specific only to the ISP or specific clients then something is messed up at their end, like some middleboxes or antivirus interfering with the connection, a captive portal asking the client to acknowledge some rules first, DNS resolution pointing to a different IP then yours etc. There is nothing you can do from the server end against this, since maybe the server is not even reached by the client.
Problem turned out to be with safebrowse.io which was somehow caching the incorrect certificate (clearing SSL cert in chrome didn't help).
It in turn affected other browsers also like Firefox. So once the incorrect cert was cached it flagged it globally as an unsafe site..
It looks like it was cached inside the logged in users chrome profile (Google Workspace account).
Solution was to login as Guest > Go to web-site > Click 'Proceed anyway' > Restart Chrome
This looks like a serious design flaw with safebrowse.io, why/how it caches SSL certificates in Chrome profile is unclear. This should have worked while accessing the web-site in Chrome incognito but it didn't..

how to enable https for my aweb application hosted on google cloud

I acquired SSL certificate through some certificate authority and later installed on google cloud.
Still, my application is not accessible through https
www.eventic.in works but https://www.eventic.in don't work.
Can you please assist me in enabling https?
I want this site to be available only through https. Even if someone access without https, it should be redirected to https.
From the image I see you're configuring your certificates in Google App Engine Custom domains. Please note that Compute Engine (where is your VM) and App Engine are different products. Also it is possible that you're following this doc which is intended for App Engine and not for a VM.
Since you may want to set your certificates in a VM, those configuration remains on the Web server you're using (NGINX, Apache, etc). Also, checking your url https://www.eventic.in I'm sure the port 443 is not configured since this port is in general used for HTTPS.
You may want to look how to configure an SSL for the solution you have running in your VM

How can I access a self-signed webserver using SSL but from another computer on LAN?

Problem: Since Chrome updated a while back (version 58?), I'm not able to access my computer's development Express web server with HTTPS from a remote machine on the same private LAN.
I have created a self-signed certificate on the server (my laptop), and it works great from the same machine via https://localhost:8383 (the local SSL port).
In the past I could bypass the warning on a remote machine on the same network but it has stopped working.
I've gone through the steps of creating a local secure DNS server on my own router with DD-WRT, and self-signed a new certificate with SAN so I could use a DNS host name to access it without specifying an IP address.
I'm able to get to the page after bypassing the message that warns the site's SSL certificate could not be verified. But that's not good enough because while the site will load, the underlying websocket service I'm using on the same port does not work, and so the application loads but is broken on the remote machine. Still works on the local machine because the certificate is valid.
It seems the issue centers around Websockets within Express.
Any guidance would be greatly appreciated! This is a strictly secure environment that's meant to be used on a private network and it makes no sense for me to spend a bunch of money on a public certificate if that even matters.
Thank you.
It appears that the issue is with mobile Chrome and Safari on IOS -- I can get untrusted SSL certificates to work with websockets from another computer on the same network with the latest versions of Chrome and Safari. But on IOS (ipads and iphones), the page will load after being prompted, but Websockets FAIL to function whatsoever.
I've found a couple other people finding this issue.
My workaround for this problem was to revert away from SSL for my private network and completely avoid self-signed certificates.
In a private environment this is OK.

forwarding HTTPS from Plesk to AWS EC2

I'am quite new to setting up and managing websites, domains and stuff.
I purchased a domain (let's say example.de) and registerd it on my vserver running Parallels Plesk. As I need secure access I requested and created a SSL-Certificate at startssl.com. The developed application (Spring-Boot) runs on an EC2-Instance at AWS. The Product-Website runs on an Apache-Webserver on an EC2 instance. I need to secure both, the App (app.example.de) and the Website (example.de) using SSL.
What I want to archive is a redirect from the domain https://example.de to the EC2 Instance. I already tried several things - some I remember from the try&error marathon
Configure Plesk frame-forwarding the traffic on https://example.de to the ec2-ip
Obviously the Browser warns me that the Certificate is issued for example.de and not for and classifies the traffic as unsecure. Same like when accessing it like https://...
I also uploaded the certificate at Plesk - Also without success
Is there a solution for my setup? Or do I need (or is it recommened) to use Amazon Route53 for that task? Would be nice if someone could guide me and provide some tipps as I am pretty new to this topics.
Thanks
It seems there is no way around AWS route 53.
I figured out that there is a Extension for Plesk that is designed to route traffic using route53 and even a nice manual article at the Plesk homepage how to use any external DNS and also Route53 Extension. As this Extension requires a newer version of Plesk, than that one I am using I wasn't able to install it. I am pretty much bound to this version, so an update didn't come into question. I cannot tell for sure if using this Extension solves my initial problem, but it seems to be a potential solution.
The most simplistic solution (at least for me):
I ended up moving my Domain the AWS, created a Hosted-Zone, Added a Record Set with the IP of the EC2 and the DNS Server provided due the hosted Zone. Everything is now working like a charm.
Some more Background: The Product-Website and App-Frontend are running inside an Apache where I installed mod_ssl and configured SSL access. The Application backend runs as a Spring-Boot-App in a Tomcat where I also configured SSL using a TomcatConnectorCustomizer.
This setup works for my scenario