Nethserver-Reports (Nethesis-Dante) page fails with original NS-Cerificates

When I try to open the reports-page with a fresh install with the originaly certs created by NS I get:

There is no possibility to open reports. All other applications I installed are working.

Therefore I suggest a change of the implementation of the selfsigned certs of NS:

  1. create a local authority
  2. create a cert with v3-extension (including alt_names domain and IP) using this authority to sign this cert
  3. posibility to download the CA-cert from GUI to install it as trusted authority on local machines

If I do this procedure manually everything is fine with reports.



Sorry, german version of Firefox is not understandable to me.
Which is the blocking error?


The certificate is not trusted, because the issuer has it self signed.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

This problem occurs only with self signed certs.
In NS there is no authrity which could be installed as trusted, so you have no chance to get this cert accepted by newer browsers, because there is no possibility to give an execption.
Chromium based brwoser changed from SSL with CN (common name) to SSL with SAN (Subject Alternative Name).


openssl genrsa -des3 -out rootCA-auth.key 2048
openssl req -x509 -new -nodes -key rootCA-auth.key -sha256 -days 3650 -out rootCA-auth.crt
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key
openssl x509 -req -in server.csr -CA rootCA-auth.crt -CAkey rootCA-auth.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext

with v3.ext file:

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

DNS.1 = server.domain.tld

The rootCA-auth.crt is a rootCA which can be used as authority when installed in the machines trusted authority datadase. Once installed every server which uses a cert signed by this authority is accepted, in this case it’s server.crt.

So you have created you own local authority.

So that’s not a problem (IMVHO).
Many devices currently supports TLS over HTTP, and i have a lot of self signed certificates memorized into my browsers. NethServer is a small exception when i have static IP AND hostname, so Letsencrypt solved the issue.

Devices that i use that are using self-signed certificates:

  • Switches
  • Printers
  • Access Point
  • Firewall appliances
  • IP-Enabled cordless phones
  • DSL Routers

And I’m glad that TLS is used, because i can publish (if i want) the devices for remote monitoring. Even with account login data…
Install (moreover, manage) a CA when it’s useful only for have fewer clicks on self-signed certificates… it’s an overkill.

IMO :slight_smile:

Sorry, maybe I should have shown the hole sreen to show that it is a cockpit problem:

EDIT: It’s browser specific. Chrome and Oprea are working, Edge and Firefox not.

Thanks for your second screenshot… :slight_smile:

The reason of this topic is discussed here: Cockpit: SSL/TLS certificate update is not complete (no problem with Nethgui)

Can you please close this topic @alefattorini or @mrmarkuz or tell me how to do it? Thanks!