Author Topic: openssl Problme  (Read 285 times)

Offline harvey186

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
openssl Problme
« on: November 16, 2017, 07:55:26 am »
Hi, ich habe auf meinem Cubietruck / Linaro OS openssl installiert. Wenn ich nun meinen webserver aufrufe, dann bekomme ich aber immer die Meldung, dass die Verbindung nicht sicher ist. Das Zertifikat wird aber gefunden (siehe Anhang).
Die Zertificate habe ich im unter /etc/ssl/cert abgespeichert.

By the way: Die Meldung bekomme ich sowohl beim lokalen Zugriff, als auch ├╝ber eine dyndns domain

Wo ist also das Problem ??

Danke
Harvey

Offline rgmhtt

  • Full Member
  • ***
  • Posts: 175
  • Karma: +4/-1
    • View Profile
Re: openssl Problme
« Reply #1 on: November 24, 2017, 09:01:13 am »
I work a lot with OpenSSL (1.1.0), but on Fedora/Centos and ONLY in English.

If you provide your question and screen capture in English I may be able to help.

I really wish I could deal with German, but I am dyslexic a highly mono-linguistic.

Offline harvey186

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: openssl Problme
« Reply #2 on: November 25, 2017, 05:33:55 am »
Hi, no problem, I can explain in english :)

I have setup my cubietruck with debian linaro as a NAS. I have installed openSSL and the certificates I have stored under /etc/ssl/cert.
When I access my NAS via browser I'm always getting the hint / error message:
Net:: ERROR_CERT_AUTHORITY_INVALID
and that the connection is not secure and the https:// is in red in the browser address line.

The certificate is found but will not accepted. Ok, I can tell the browser that that's OK, but ist's worst to tell all people that the have to accept this unsecure site. 

What can I do, that the certificate will be accept in all browsers ?

I hope this will explain my issue.

Offline rgmhtt

  • Full Member
  • ***
  • Posts: 175
  • Karma: +4/-1
    • View Profile
Re: openssl Problme
« Reply #3 on: November 25, 2017, 07:54:06 pm »
You probably have a self-signed certificate.  Browsers today treat this as an error condition that the user has to accept the 'risk' of using a self-signed cert.  After all, Mal could make a cert with the same content (other than the keys) as yours and trick your users into accepting it.

Thus you need to provide your users with YOUR keyid so they can store your certificate with confidence.  Or have control over the network such that they cannot be connected to anything but your NAS.  If you store the cert, you only go through this warning once.  Per user.

Or buy a cert.

If you are interested, I have published an Internet Draft on building an ECDSA PKI.  This does not directly fix your challenge, but if you have multiple servers for your users, they only need to accept your root cert then they will auto accept all certs signed in that PKI.

My draft can be found at:

https://datatracker.ietf.org/doc/draft-moskowitz-ecdsa-pki/

I do have to rev it, as one grad student using it for his thesis for his PKI found a typo in one of the chmod commands...

Plus I want to add support for 802.1AR iDevID CSRs.

Note this is only for ECDSA certificates.  I try not to use RSA certs anymore, and EDDSA certs are in the next release (1.1.1).

Hope this helps

Offline harvey186

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: openssl Problme
« Reply #4 on: November 26, 2017, 09:32:50 am »
thx, I will try

Offline rgmhtt

  • Full Member
  • ***
  • Posts: 175
  • Karma: +4/-1
    • View Profile
Re: openssl Problme
« Reply #5 on: November 29, 2017, 04:24:35 pm »
Another option is to get your certificate from:

https://letsencrypt.org/