I have a local domain (markfisher.local) for which I have made a self-signed certificate, which I have added to the Certificates in Keychain Access (I am using Mac). This results in the certificate being trusted in Chrome and Safari. If I edit the certificates Trust in KeyChain Access to "Never Trust" then Chrome and Safari no longer accept it, then if I change it back to "Always Trust" then I can access markfisher.local OK again.
But when accessing the site in Firefox I get the following:
markfisher.local uses an invalid security certificate.
The certificate does not come from a trusted source.
Error code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
I have set security.enterprise_roots.enabled to true as suggested in this answer. Also, going to Preferences > Privacy & Security > View Certificates, I can see my certificate is in the Authorities tab and I have checked the "This certificate can identify websites" in the "Edit Trust" dialog. This was not checked originally
However Firefox refuses to accept the certificate. How can I fix this?
See https://bugzilla.mozilla.org/show_bug.cgi?id=1034124 and specifically this answer:
Looks like that certificate has a basicConstraints extension with the
value cA: TRUE. We stopped allowing CA certificates to act as
end-entity certificates. That certificate should be regenerated
without the basicConstraints extension.
This is also explained at https://wiki.mozilla.org/SecurityEngineering/x509Certs
Error Code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
What It Means: A certificate with a basic constraints extension with cA:TRUE is being used as an end-entity certificate
What Can I Do: Re-generate the end-entity certificate without the basic constraints extension
I fixed the error by running "Run AutoSSL" on my hosting cPanel after DNS propagation.
Now Firefox says that the connection is secure, without any error.
Related
I created a Let's Encrypt certificate using SSLforFREE. It works great in the browser, but generates an "unknown certificate" error when used with an Alexa skill. Manually uploading the certificate to the Alexa service works, but it will not work as a "trusted" certificate.
Has anyone successfully used one of these as a "trusted" certificate with Alexa?
Oh, here's what you can do:
Download the contents of your fullchain.pem cert, from /etc/letsencrypt/live/<domain>/fullchain.pem on your server
On your skill config page, select the "SSL" Tab.
Mark "I will upload a self-signed certificate in X.509 format."
Paste the contents of your fullchain.pem file.
It worked for me. Not sure if chain or cert would be enough.
Dont use sslforfree. Use Letsencrypt fullchain certificates directly
Though certificates from https://www.sslforfree.com/ utilizes letsencrypt certificate chain, amazon finds an issue while tracing to a trusted certificate authority.
This is another discussion on missing certificate chains.
The solution that will work is, Use LetsEncrypt certificates directly with chained certificates to a trusted CA certificate.
For this, use certbot in order to generate LetsEncrypt certificate on your Server and follow the steps in #aldrinleal answer.
I have installed a ssl certificate via WHM on one of my domain. Site is working with https://xyz.com.
However it is not working with https://www.xyz.com. I have checked the certificate and it is for www version as well. After some research it appears to be incomplete chain issue. I had no idea how to resolve this. Please help.
A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.
You can solve the incomplete certificate chain issue manually by concatenating all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.
You should be able to fetch intermediate certificates from the issuer and concat them together by yourself. I have written a script to automate the procedure, it loops over the AIA extension to produce output of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver
I created self signed certificate and is being used in my express project. The problem is when I do
curl https://<domain>
doesn't and only works with -k option, it doesn't use the certificate to encrypt its content. I don't see how that is effective since that is similar to http itself.
Also from what I understand in CA signing request is that browsers like chrome they are preinstalled with the information trusted CAs in the web such as Verisign. So how does curl work in this way, does it also know before hand like in chrome regarding who are the trusted CAs?
Also in my project the app communicates with the ec2 machine does it need client side certificate for https ?
Yes, curl has a pointer to a list of trusted Certificate Authority keys. You can override it with the --capath flag.
We purchased an SSL certificate through DNSimple and installed it on our Heroku SSL endpoint. Now navigating to the app via SSL works fine on Chrome and Safari, but Firefox shows a "This connection is untrusted" error. Why would an SSL cert be untrusted by Firefox only?
We figured out the problem:
The Heroku docs point to the following bundle.pem file, which DOES NOT WORK FOR FIREFOX:
https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
The CORRECT bundle.pem file is at:
https://knowledge.rapidssl.com/library/VERISIGN/INTERNATIONAL_AFFILIATES/RapidSSL/AR1548/RapidSSLCABundle.txt
as indicated on the RapidSSL site.
Heroku docs need to be updated. Hopefully this saves someone else some time..
UPDATE: We reported this to Heroku and they updated their docs, so this is no longer an issue.
Mozilla include a list of Certificate Authorities (CA) with their products, as do Google, Apple, Microsoft and others. If your certificate can be traced back to one of these than the browsers will trust it. If not, you have to add an exception, or import the certificate into your browser.
The list of included CAs is created at the whim of the different browser makers. Some include the root CA for your certificate, and it seems Mozilla do not.
You can get a list of CAs included by Mozilla here. Check your certificate details. If the root CA is on this list file it as a bug with Mozilla. If it's not you could try asking them if they'll include it for the next release.
It's a problem of rapidssl but not yours.
you should not only provide the server certificate, but should concat your server certificate and INTERMEDIATE ca certificate.
do
$ cat ca_certificate.crt >> server_.crt
and restart your nginx.
you can find the ca certificate on what site you buy certificate.
When generating a self-signed certificate using keytool, can I use an IP address for the Common Name?
Once I generated the certificate, I exported it so I can install it in my clients/browsers. In Windows, I ran mmc.exe and added it as a Trusted Root Certificate Authority.
However, when I navigate to the IP address in my browser, it is still an untrusted connection. I ensured Tomcat had all the correct Connector settings.
Am I doing this correctly? do I need to be my own CA? How can I use SSL for development purposes? I'm still trying to understand SSL completely.
First question: if you'll be connecting by IP, then yes.
Second question: No, you don't install your self-signed certificate as CA, you just add exception when your browser warns you that it's self-signed.
You can set up CA — you generate root certificate first, install it in the client, and then generate CSR and then server certificate from it (see e.g. this), but for development purposes this is a complete waste of time.