I am trying to connect to my webserver with Android apps which are using okhttp. The webserver is using an SSL certificate signed by my own personal CA. The CA is added to the phone/tablet, but I get the following error:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
The server contains the complete certificate chain. Should this work in principle? Does okhttp trust added personal CAs?
The https connection works without problems in the browser and other apps not using okhttp.
Related
I am developing web app using Spring Boot and React. I want to deploy it on local server and make it accessible only through local network, but I want to make it secure, so I need SSL certificate to enable HTTPS. If I use self-signed certificate then I get error on clients browsers (not secure), because this certificate is not in their trust store. Is there any way to get certificate for localhost, I think that Let's Encrypt don't give certificates for localhost?
Generate Self signed root CA certificate.
Install your root CA in all client machines (enterprises root)
sign certificate with your root ca and install in web server
this certificate will be trusted.
I deploy my CA cert via GPO into Trusted Root Certification Authorities, which I can see is deployed to my client machines. I know this part is working as Chrome no longer moans when browsing to sites using my signed SSL certs.
However, when I try and git clone or push to any repositories behind an SSL cert signed by this CA, git-for-windows bawlks and says this:
schannel: next InitializeSecurityContext failed: Unknown error
(0x80092012) - The revocation function was unable to check revocation
for the certificate.
As you can see, I've got schannel enabled, but git-for-windows is clearly not reading my CA cert from the Certificate Store in Windows. Any one know how I make gfw read from the Certificate Store in Windows? I can't manually copy this cert onto all my Windows clients, that'd take forever.
Perhaps worth noting I'm using multiple Samba 4 instances as Domain Controllers, but I don't have access to Windows Server tools such as AS Certificate Services.
nb. I know I can disable tls verification, but that surely defeats the purpose.
I am trying to make websocket connection to a backend server that uses a self-signed certificate. In firefox I've added an exception for the self-signed cert.
However my websocket connection wss:// fails to connect. I get a close event with code 1006 which is a catch all code.
Chrome and IE websockets work. Since I am using windows, I've installed the cert using certmgr.exe as a trusted cert.
My guess right now is that firefox websockets do not work with certificate exceptions and need to be trusted.
Has this scenario worked for anyone else?
Just in case it could help anyone, what is mentioned in OP's answer is not true at this time of writing (v61.0.1).
I navigated to the address of my WS server using https, as any WS server is practically an HTTP server, then the usual invalid certificate screen appeared and allowed me to add an exception. After that any wss connection made to the same host and port is successful.
Firefox works with secure websockets (wss://) only when the certificate of the site is trusted.
With a self-signed certificate I was able to browse the site by adding an exception to the certificate. The exception is not used for websockets and the connection was dropped during the ssl handshake.
Instead I created my own Root CA cert and then another signed cert for the webserver. In Options > View Certificates > Authorities I imported the Root cert. Now firefox is able to connect over secure websockets without any issue.
Firefox does not allow for importing of self-signed certs as Authorities. Windows Certificate manager allows importing of self signed certs into the "Trusted Root Certificate Authorities" list.
Full disclosure, I asked this question over at Ask Different (https://apple.stackexchange.com/questions/96776/always-get-a-security-error-for-internal-https-website) but didn't get much helpful feedback. I'm hoping this question fits better here.
My company recently changed an internal site to use HTTPS instead of HTTP (it is our Jira site in case that matters). From what I can tell, this site is using an internal certificate. On our work computers this certificate appears to be pre installed so the website comes up without trouble in IE, Firefox, and Chrome. However, my personal computer is a Mac (OS X 10.8.4) and I am having major troubles accessing the site through any browser. I have followed instructions to install the certificate in my Keychain and I believe I have successfully done that, but I am still not able to access the site.
When Accessing the site I Get:
Chrome: Invalid Server Certificate You attempted to reach jira.surescripts.local, but the server presented an invalid certificate.
Safari: Safari can't open the page Safari can't open the page "https://jira.local:8081/" because Safari can't establish a secure connection to the server "jira.local"
In Chrome when I view the certificate information it I see: Intermediate certificate authority. Expires: Thursday, May 21, 2015 1:19:28 PM Central Daylight Time. This certificate is valid
To make sure that it wasn't something strange with our company's VPN, I installed a Windows 7 virtual machine on my Mac and installed the certificate in Windows and am able to successfully log on to the site how I always would.
I am not much of an expert with certificates and I really don't know where to go from here. Any help would be greatly appreciated! Thanks.
It almost sounds like you need to trust a self-signed certificate? Perhaps follow: https://confluence.atlassian.com/display/SOURCETREEKB/Resolving+SSL+Self-Signed+Certificate+Errors
Sefl signed certificate always triger warnings in web browsers.
To validate a server certificate you must have in the client browser the CA certificate wich was used to sign the SSL server certificate.
Your company should create a CA cert, then create a server SSL cert. signed with the CA and put it on the web server. The clients install public part of the CA cert in "Trusted CA" certificate store. When client conect to the web server the server sent the signed SSL certificate, the client check if it is a "trusted" cert (was signed by a trusted CA) and if everithing is Ok the client doesn't show the warning.
You ended with this cert chain:
CA cert->SSL cert
CA cert public part is installed in client broser as trusted CA. SSL is put in the web server. Client validate SSL cert agaist its Trusted CA certs installed in its Certificate Stores.
It is like CyberTrus CA. You can see how you have Baltimore Cyber Trust Root and Cybertrust Public SureServer SB CA installed in your computer and when you enter into https://www.bancosantander.es/cssa/Satellite?pagename=SantanderComercial/Page/SAN_Index you can see that *.bancosantander.es certificate is valid because you are trusting in the chain.
Your company needs to create the root, then create the SSL signed by the root. The root (public part) is distributed to the client for install. The server sends the SSL to client in HTTPS protocol.
Check this link for more info.
The problem is probably the encryption protocols that your Mac and the company web site don't match up.
Safari Browsers for OS X before Safari 7 (up to 6.0.7 which was on OS X 10.8.4) use the SSL 3.0 protocol, which has vulnerabilities and is considered insecure. Most newer and well-designed web sites use TLS 1.1 and/or TLS 1.2.
Browser encryption capabilities for Safari 6.0.4
Find out from your company if that is what is set up. The same site that has the specs I linked to allow you to enter a web site, and they'll throw a battery of test transactions at it to test it's security and what will connect, but I doubt you can use that for an internal site. Ask your IT folks what encryption protocols they are using.
As a solution, I believe there are versions of Firefox and/or Chrome that can run on 10.8.4 that use TLS 1.2.
List of major browser versions that support TLS 1.2
I'm having a Windows Store App (Metro App) which I want to connect a web service I built through HTTPS. And I am using a self-signed certificate for my web service. But when I tried to connect it from my App through System.Net.HttpClient.PostAsync I got an exception said
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
Inner exception said
"The remote certificate is invalid according to the validation procedure."
I know this is because I'm using a self-signed certificate. I remembered in .NET I can use System.Net.ServicePointManager.ServerCertificateValidationCallback so that my application can pass the validation if the thumbprint is mine.
But I cannot find the relevant class/method in Windows Store runtime. How can I do that?
First, you should ideally be using Windows.Web.HttpClient. On that API, you can use httpClient.HttpBaseProtocolFilter.IgnorableServerCertificateErrors to set the cert errors that you're willing to accept. You can choose to ignore the Untrusted error, for example, but you should then manually check the thumbprint before actually sending any data.