Binner
Binner copied to clipboard
replaysMike
Fix SSL Certificates not being trusted on unix environments
I might need some help from the community on this one, as I've tried every way I could find in order to get a self-signed certificate to be trusted on ubuntu/linux. Firefox/Chrome still say the CA authority is not valid, and I'm not sure if there is something different about the certificate itself or the way browser certificate chains are validated on unix. Works fine on Windows.
I've tried the following:
sudo cp ./Certificates/Binner.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
sudo apt install libnss3-tools
pk12util -d sql:$HOME/.pki/nssdb -i ./Certificates/Binner.pfx
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n 'dev cert' -i ./Certificates/Binner.crt
and
apt-get install ca-certificates
sudo cp ./Certificates/Binner.crt /usr/share/ca-certificates
dpkg-reconfigure ca-certificates
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "Binner CA" -i ./Certificates/binner.crt
Hello ReplaysMike,
I've just installed the latest release of Binner.Web in my server and the program works fine! What do you mean by "Firefox/Chrome still say the CA authority is not valid"?
I only got a warning about the self-signed certificate of my server. (Which is the default behaviour for a long time in Firefox) Firefox let me choose to go away or make an exception for this certificate.
Also ran the install-certificate.sh command and it gives me the following output:
# ./install-certificate.sh
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping Binner.pem,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Adding debian:Binner.pem
done.
done.
Certificate was installed to trusted root at /usr/local/share/ca-certificates/Binner.crt
Hi @kuifie210 - yep the warning about the self signed certificate is the issue I’m noting in this ticket. On Windows I was able to add the cert to the trusted store and I don’t get any browser certificate validation warnings. On Unix environments however this process doesn’t seem to work as expected. Apparently it can vary with different Unix flavours and even vary among browsers.
You can of course just tell the browser to ignore the warning and all is good - as you saw with Firefox. Ideally however it would be nice to trust the certificate properly on install so that the warnings don’t come up and you get a nice little lock icon in the browser. My install script is supposed to be doing this by coping the certificate to ca-certificates folder, it just doesn’t work and you still get the warning.
Hi @replaysMike,
I'm sorry for my late response. I think that it is only possible to have a valid certificate (and don't get the message in the browser) if the certificate is authorized by a external certification authority like letsencrypt. The problem with letsencrypt is the need of a domain name. Which is (I think) for most of the users to much hassle for their local workshop setup.
Another option is to import the certificate in every machine and/or browser you are using. I've found some instructions on https://develike.com/en/articles/adding-a-trusted-ssl-certificate-for-the-local-environment-in-apache-on-debian-ubuntu
At the moment I don't have the time to test this solution. But as far I can this solution should work for most of the users with linux server/client environments
Hi @kuifie210 thanks for the follow up. Yes the issue with self-signed localhost certificates is always about trusting the issuer. While it's certainly possible to script this on the Windows side (the Trusted root store is where you put them for the local computer to trust it) on Unix there are various ways to accomplish the same thing. It seems it varies quite a lot between different distros.
Thank's for the link you sent, hadn't seen that one. I'm going to try it out and if it works well, maybe I'll just distribute 2 different certificates as on the WIndows side I didn't generate it using openssl but rather through Powershell. There could very well be some subtle differences in how the certs are structured.
I'll keep you posted.