Nethserver-Reports (Nethesis-Dante) page fails with original NS-Cerificates

flatspin · December 3, 2019, 8:54am

When I try to open the reports-page with a fresh install with the originaly certs created by NS I get:

There is no possibility to open reports. All other applications I installed are working.

Therefore I suggest a change of the implementation of the selfsigned certs of NS:

create a local authority
create a cert with v3-extension (including alt_names domain and IP) using this authority to sign this cert
posibility to download the CA-cert from GUI to install it as trusted authority on local machines

If I do this procedure manually everything is fine with reports.

BR

flatspin

pike · December 3, 2019, 12:16pm

Sorry, german version of Firefox is not understandable to me.
Which is the blocking error?

flatspin · December 3, 2019, 12:58pm

MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

The certificate is not trusted, because the issuer has it self signed.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

This problem occurs only with self signed certs.
In NS there is no authrity which could be installed as trusted, so you have no chance to get this cert accepted by newer browsers, because there is no possibility to give an execption.
Chromium based brwoser changed from SSL with CN (common name) to SSL with SAN (Subject Alternative Name).

Example:

openssl genrsa -des3 -out rootCA-auth.key 2048
openssl req -x509 -new -nodes -key rootCA-auth.key -sha256 -days 3650 -out rootCA-auth.crt
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key
openssl x509 -req -in server.csr -CA rootCA-auth.crt -CAkey rootCA-auth.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext

with v3.ext file:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = server.domain.tld
IP.1 = XXX.XXX.XXX.XXX

The rootCA-auth.crt is a rootCA which can be used as authority when installed in the machines trusted authority datadase. Once installed every server which uses a cert signed by this authority is accepted, in this case it’s server.crt.

So you have created you own local authority.

pike · December 3, 2019, 1:05pm

So that’s not a problem (IMVHO).
Many devices currently supports TLS over HTTP, and i have a lot of self signed certificates memorized into my browsers. NethServer is a small exception when i have static IP AND hostname, so Letsencrypt solved the issue.

Devices that i use that are using self-signed certificates:

Switches
Printers
Access Point
Firewall appliances
IP-Enabled cordless phones
DSL Routers

And I’m glad that TLS is used, because i can publish (if i want) the devices for remote monitoring. Even with account login data…
Install (moreover, manage) a CA when it’s useful only for have fewer clicks on self-signed certificates… it’s an overkill.

IMO

flatspin · December 3, 2019, 2:57pm

Sorry, maybe I should have shown the hole sreen to show that it is a cockpit problem:

EDIT: It’s browser specific. Chrome and Oprea are working, Edge and Firefox not.

pike · December 3, 2019, 3:47pm

Thanks for your second screenshot…

flatspin · December 4, 2019, 2:11pm

The reason of this topic is discussed here: Cockpit: SSL/TLS certificate update is not complete (no problem with Nethgui)

Can you please close this topic @alefattorini or @mrmarkuz or tell me how to do it? Thanks!