Problem with Secure Connection and Self-Signed Certificate
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 4 of 4
  1. #1
    Join Date
    Jul 2018
    Location
    Indonesia
    Posts
    2
    Linux (Fedora) Firefox 61.0

    Problem with Secure Connection and Self-Signed Certificate

    Hello,

    I am a new Fedora user, I really enjoy it but I just haven't been able to find the solution to a weird problem.
    I frequently get rejections of self-signed certificate in various applications, but sometimes the problem goes away simply by keep retrying.

    Here's what happens to me when the problem comes:
    - SSH connections fail with error of "connection refused", I tried SSH-ing to Gitlab, Github, and my own servers which accept connections without any problem from other machines.
    - Neither NPM and Yarn can download any package with the error of self-signed certificates.
    - Axios module in my project throws this error:
    Code:
    Error: self signed certificate
        at TLSSocket.<anonymous> (_tls_wrap.js:1105:38)
        at emitNone (events.js:106:13)
        at TLSSocket.emit (events.js:208:7)
        at TLSSocket._finishInit (_tls_wrap.js:639:8)
        at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:469:38)
      code: 'DEPTH_ZERO_SELF_SIGNED_CERT',
    - Firefox refuses to connect to Gmail and other Google services, saying that the owner of the site haven't configured their sites properly.
    - Gnome Calendar cannot connect to Google API with again the error of self-signed certificate.
    - Same case with wget and cUrl.

    Strangely, all of this only happens whenever I am connected to my office wifi, but everything works perfectly from any other connections.
    My coworkers are on Ubuntu, Mac and Windows and nobody has this kind of problem, and I am the only one who uses Fedora.

    I really am stuck, and I would very much appreciate any clues of what am I doing wrong, especially if I perhaps have to do some specific configuration regarding my office network.
    Thank you for reading, I look forward to hearing from the community.

  2. #2
    Join Date
    Dec 2017
    Location
    USA
    Posts
    56
    Windows 7 Firefox 60.0

    Re: Problem with Secure Connection and Self-Signed Certificate

    Ah, so your office is probably using an http proxy or a filtering appliance. The ssl traffic is being intercepted and re-encrypted so your company can monitor activity.

    The simple fix is to retrieve the certificates in question (normally it would be the root certs, but you said these are self-signed) and insert them into your system trusted ca cert chain. Ask the network admin for the cert for the proxying appliance, or retrieve it from the trusted store from one of the other machines. You should probably internet search how to do that for a target OS.

    As a bonus, you can manually inspect/fetch the certificate being used so you don't have to chase it down from anybody else.
    Code:
    echo "" | openssl s_client -showcerts -servername "gitlab.com" -connect "gitlab.com:443"
    Will output the certificates being offered by gitlab.com. Port 443 is the standard https port. The -servername option is for the sni field (server name indication) which is hardly ever required for a connection.

    Grab the portions between, and including, the -----BEGIN CERT---- to ------END CERT----- and save them to a myofficeproxy.pem file.

    Once you get a .pem or .crt file, you will want to place it in /etc/pki/ca-trust/source/anchors/ and run update-ca-trust.

    EDIT:
    Additionally, the npm and yarn applications might not use the system ca trust chain. I don't have time to track down those unfamiliar application's configs, but the pip package manager had its own config in ~/.config/pip/pip.conf where I was able to specify the system ca trust chain. I suspect npm and yarn might be similar.
    Code:
    # cat ~/.config/pip/pip.conf
    [global]
    cert = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    Last edited by bgstack15; 11th July 2018 at 01:40 PM. Reason: Add additional comments

  3. #3
    Join Date
    Jul 2018
    Location
    Indonesia
    Posts
    2
    Linux (Fedora) Firefox 61.0

    Re: Problem with Secure Connection and Self-Signed Certificate

    Hi bgstack15,
    Thank you very much for your help.

    I tried adding the certificate in .pem for my server SSH, did the update but my SSH still got refused.
    Also, I asked the network guy at work but he said there is nothing specially configured on the router.
    It couldn't be an ISP-specific issue either because I use the exact same provider at home and everything works smoothly.

    So, perhaps, is there a way to just trust any self-signed certificate system-wide? Or is this something dangerous that sholdn't be done?
    Many thanks in advance.

  4. #4
    Join Date
    Dec 2017
    Location
    USA
    Posts
    56
    Linux (Fedora) Firefox 60.0

    Re: Problem with Secure Connection and Self-Signed Certificate

    It is indeed very dangerous. This process makes the computer trust anything using that certificate. Ssl provides encryption (only you and the destination can read the traffic) and identity verification (the target is who he says he is). Certs are signed by certificate authorities who are supposed to be trustworthy people, so that if you trust Bob, who says Alice is OK, you can trust Alice too. A self-signed certificate has no one vouching for him. So as long as you decide to trust this random certificate, you can proceed.

    Can you inspect the cert to see some characteristics about it?
    Reference: Manipulating ssl certificates (my blog)
    Code:
    openssl x509 -in myofficeproxy.pem -noout -text
    That command will show you all the info about the certificate. It probably won't help you too much for a self-signed cert.

    Now, if you decide that you just want your applications to work regardless of whoever signed the cert, most applications provide a way to ignore the signer. Curl has a -k option, wget has --no-check-certificate, and so on. I am uncertain how to get the entire system to just accept any self-signed cert. Certs still encrypt traffic, even if you don't trust the other side.
    If you're writing the application you shared the output from, maybe there's a boolean to pass to the library to tell it to not check the cert and just proceed.

Similar Threads

  1. [SOLVED]
    self-signed certificate for 389-ds, openldap compatibility, etc.
    By osce0 in forum Servers & Networking
    Replies: 1
    Last Post: 3rd February 2018, 05:42 PM
  2. [SOLVED]
    CA-signed certificate (StartSSL) with Dovecot / Postfix / mariadb
    By elipp in forum Servers & Networking
    Replies: 2
    Last Post: 17th May 2016, 02:56 PM
  3. generate a self signed SSL certificate on FC5 to test https
    By linux_learner in forum Servers & Networking
    Replies: 11
    Last Post: 28th October 2008, 03:24 AM
  4. Creating a Self Signed Certificate for MTAs and FC4
    By SharedMedia in forum Guides & Solutions (Not For Questions)
    Replies: 0
    Last Post: 22nd July 2005, 06:14 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •