I'm working on automating a web application (F# and Canopy). Getting 'Your connection is not private' screen upon launching the website/ after providing login credentials. Tried a few workaround to have the same disabled, but none did the job. Please help.
The best approach here is not try to hide or cover up the problem, but to fix it properly so you don't have to. Solutions that involve hiding the issue are necessarily going to adversely affect your security.
Note the wording of the error code: ERR_CERT_AUTHORITY_INVALID. That tells us that the certificate for the site is signed by a non-standard or unknown certificate authority.
You mentioned localhost in your comment; you're not going to be able to get a certificate for that, but you could create a self-signed one, however, if you've enabled the localhost exemption and you're still getting the error, it suggests that you may not be using localhost after all.
So, if you have a certificate signed by a real CA and you're seeing this error, it's likely that your local OS or browser has an outdated CA root certificate bundle. you can usually get the latest one by making sure your OS packages are up to date.
If your certificate is self-signed, then the 'advanced' button will allow you to add an exemption. I you have set up your own CA and signed the certificate with that, you need to add that CA's public key that signed it to your OS.
If you've got a "regular" commercial certificate from verisign, letsencrypt, comodo or whoever, then a run through a testing tool like testssl.sh or Qualys SSL labs will tell you more about what's going wrong. Without knowing the actual domain we can't test anything for you.
Added the following argument and it did the job:
options.AddArguments("--ignore-certificate-errors")
Related
I am using Firefox 59.0.1 on Ubuntu and I am seeing the following error when accessing my development environment which is behind a self-signed SSL cert.
Your connection is not secure
The owner of crmpicco.dev has configured their website improperly. To
protect your information from being stolen, Firefox has not connected
to this website.
This site uses HTTP Strict Transport Security (HSTS) to specify that
Firefox may only connect to it securely. As a result, it is not
possible to add an exception for this certificate.
Learn moreā¦
Report errors like this to help Mozilla identify and block malicious
sites
crmpicco.dev uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: SEC_ERROR_UNKNOWN_ISSUER
I have added "crmpicco.dev" to security.tls.insecure_fallback_hosts and set security.enterprise_roots.enabled to true, restarted Firefox but this has had no effect.
I know Chrome has their "badidea"/"thisisnotsafe" workaround, which I know isn't ideal but it at least works - whereas I am yet to find a Firefox equivalent.
What is the solution for this? Do I need to generate new self-signed certs even although the cert I have is from Feb 2018.
I have tried the numerous questions on here and Mozilla support to no effect.
The top level domain *.dev is owned by Google. For some time already there has been a pre-configured HSTS policy in Chrome which made it impossible to use self-signed certificates for this domain. Firefox recently added such policy too so you get the same behavior now.
There are several ways to deal with this. The best way is to not use any currently public or future public top level domains for your private purpose. By using such domains you risk to getting in conflict with usage policies enforced by the domain owner, like enforcing HSTS in case of *.dev. Also, it might even cause security problems. Instead use either domains you actually own or use top level domains which are reserved for internal and test use, like *.test, *.invalid or *.example.
If you really want to use *.dev internally (again, bad idea) you can do it by following the policy of this domain: don't use a self-signed certificate but use a certificate issued by a CA trusted by your browser. This means creating your own CA, adding it as trusted to the browser and then issue the certificates you want by this CA. But again, using public domains you don't own (no matter if top-level or not) is a receipt for trouble.
I am using certs from an issuer called AlphaSSL. I just recently realised that my pages shows invalid certificate error on pageload. Further investigation shows that the intermediate certificate that binds my cert to GlobalSign's root certificate has been revoked. I checked and there is a new intermediate certificate on their site but I am not sure I should download it as their download page is secured with the same revoked certificate.
UPDATE:
I got a boilerplate email from support, they reckon clearing the CRL cache should fix the issue. I wonder though, is this really doable, can they 'unrevoke' the certificate? How can I check their revocation list and how can I force the propagation of the undo to my CRL (other than clearing the cache)?
UPDATE2:
I received another email that references this page. Long story short, they are busy shoveling the sh*t back to the horse, browser ubiquity yaddda-yadda, you should change the iterim cert to a new one, but if you have AlphaSSL or CLoudSSL, then you're sheesh out of luck, no cert for you.
Does not say where to claim your money back.
GlobalSign is currently experiencing issues which results in certificates being marked as revoked:
https://twitter.com/globalsign/status/786505261842247680
I got a reply from their support staff:
Hello,
Thank you for getting in touch with the GlobalSign Support Team
We thank you for bringing this to our attention. We are aware of the
issue you described and are in the process of investigating the matter
further.
We would like to ask for the below details so we can provided these to
the team investigating the issue.
Operating system & version: Browsers & version:
For the latest updates on the issue, please follow the below link:
https://twitter.com/gssystemalerts
We will let you know as soon as the issue has been resolved.
Thanks.
Best Regards, Janice Tablarin GlobalSign Support Team
Some boilerplate response, I reckon. If the trust has gone from the cert that signed a zillion other certs, then its not a cliient/browser issue.
We are having problems with some browsers attempting to get Bootstrap 3 (js and css) from the documented CDN (https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/js/bootstrap.min.js). The main two browsers are IE8 and IE9 and we don't have option of telling client to upgrade. Other high level browsers (even IE11) seem to work properly.
We've had to resort to hosting files ourselves, but obviously I would much rather reference the CDN.
For a simple example, in IE11, if I do the following:
1) Type following in url...
2) Hit enter...
3) Click Run...
Now, IE11 will actually continue and run (obviously script will error out), but all these warnings are my best guess as to what might be tripping up IE8/9 (and maybe other lower level browsers). As I said, I've temporarily hosted the files on our own secure.benefittech.com domain, and no warnings occur when I do same steps.
Here are some screen shots from client browser (IE8) when attempting to run the real site referencing CDN urls.
This first one is showing the debugger not knowing what the .tooltip() method is (from Bootstrap.min.js).
Finally, this is the IE security bar warning they get when hitting the site
Any ideas on how this might be resolved or what info I could supply MaxCDN with to try and resolve this would be greatly appreciated - or do we have to continue to host files ourselves?
I realize IE8/9 are old browsers (neither of which I'd be running at this time), but as mentioned earlier, I don't have option to force client to upgrade and surprised no one else has raised this issue (when I contacted MaxCDN, they were surprised by the issue, but not being experienced in Certificate 'technology/language', I didn't really know what to provide them.
Do you have a test environment with IE8/9 where you could do some tests? It could be a problem with certificate chain building. Maybe some certs in the chain are not trusted.
Could you import SubCA certificate from http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt to intermediate CA store and Root CA from http://secure.globalsign.net/cacert/Root-R1.crt?
SubCA certificate (GlobalSign Domain Validation CA - SHA256 - G2) is pretty new (issued 20.02.2014) so if IE8/9 does not follow authority info access from end entity certificate (to build certificate chain) or it does not handle well that the certificate of subCA is in PEM format at http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt (should be DER IMO) or if by any chance GlobalSign Root CA is not trusted by IE8/9 then I believe this could be the reason for the IE warnings.
I have a problem with a self-signed SSL certificate not being accepted on my Windows 7 box. I need this because the QuickBooks web connector will not address my CRM except over HTTPS, and the CRM is hosted on an intranet-only Linux server.
I followed the instructions here, and then used certmgr.msc to import the certificate on the client machine. The import appeared to be successful, and I can see the certificate in the "Trusted Root" store:
The problem is that it doesn't work; QBWC still reports it can't connect due to an authentication error, and my browser still rejects the certificate:
Could someone please give me an idea what I'm doing wrong? Thanks in advance!
The correct answer was propounded by #RickK - I had issued the certificate in my own name, instead of the domain of the server. The prompts in Apache make this rather confusing; it really looks like you're supposed to put your own name in the "Common Name" field, and the tutorial I followed seems to advise the same thing.
Anyway, I reissued the certificate, changing the CN field to "apps," and everything is working now. Thanks to #RickK and #pulkitsinghal for your helpful input. (And sorry for the delay in my response - this project got pushed to the back burner for awhile.)
I need to see how a web application will work with HTTPS. But I can't really find much information around about it. I tried to set up my local Apache but I can't find a CA autorithy to sign my certificate... Hints? Suggestions?
The possibilities to consider are:
Generate your own certificate (self-signed certificate)
Get a certificate issued by a known issuer
Get a certificate issued by an issuer not recognised by the browser
Nr. 1 is probably the most widely used solution. You can find instructions here. The only disadvantage is that browsers will complaint about the unknown CA. In Firefox, you can just add a permanent exception and get rid of the warning. (Neither Chrome nor Internet Explorer seem to provide such option.)
Nr. 2 normally costs money so it isn't a popular choice for dev environments.
Nr. 3 can be obtained for free (see https://www.cacert.org/) but they also trigger a browser warning. A difference with nr. 1 is that you have the possibility of adding the CA to your browser's trusted authorities; however, that's a serious decision that requires serious consideration because of its security implications. In general, I would not recommend it for mere testing.
Self-signed certificates (as already mentioned) are probably the easiest option for a single host.
If there are a few hosts, you could create a mini CA of your own. There are tools for this, for example:
CA.pl: a script provided with OpenSSL.
TinyCA: a tool with a GUI.