Reply
Highlighted
Emerging Member
Posts: 86
Registered: ‎03-28-2012
Kudos: 24
Solutions: 4
Accepted Solution

WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

I never plan to allow management of my ERL3 from the WAN side but I can't manage EdgeOS on the LAN side via HTTP, only HTTPS.

 

Since Google Chome v58+ I can no longer us a self signed certificate that has it's CN use an intranet address, Chrome complains about it.

 

Starting to dig deeper, it seems that all browsers will now reject a CN with an intranet address ( IP range: 10.0.0.0 through 10.255.255.255 172.16.0.0 through 172.31.255.255 192.168.0.0 through 192.168.255.255. )

 

There is some info about it here. ( https://cabforum.org/internal-names/ ).

 

So the question to the user community, does anyone have a list of steps to create a self signed certificate that I can place in ( /etc/lighttpd/server.pem ).

 

From the write up on CN intranet being deprecated, the only way to remove the browser warning is to get a certificate with a FQDN and loopback the management port of EdgeOS just to get rid of the browser warning.

 

If we could use http on the LAN side this would not be an issue.

 

For those that will say the SSL certificate is not an issue, pleas provide instructions on creating a self signed certificate that chrome won't complain about.

 

 

 

 


Accepted Solutions
Emerging Member
Posts: 86
Registered: ‎03-28-2012
Kudos: 24
Solutions: 4

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

I think I have a solution, it was member ( OZPhb 

 

 

 

 

 

   d. Start ( lighttpd ) with the command ( /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf )

 

4. Now I installed the ( ubntCA.pem and server.pem ) on both ( Chrome and Firefox ).

 

[ CHROME ]

Screen Shot 2017-07-06 at 7.58.06 PM.png

 

[ FIREFOX ]

 

Screen Shot 2017-07-06 at 8.20.37 PM.png

 

And this is what my certificate looks like.

 

Screen Shot 2017-07-06 at 7.56.46 PM.png

 

And this is the script I mentioned.

 

#!/bin/ksh

function CreateCertificateAuthority {

if [ -f ./ubntCA.key ]; then rm ./ubntCA.key; fi
if [ -f ./ubntCA.pem ]; then rm ./ubntCA.pem; fi

#
# Create the Root Key
#
openssl genrsa -out ubntCA.key 2048

#
# Now self-sign this certificate using the root key.
#
# CN: CommonName
# OU: OrganizationalUnit
# O: Organization
# L: Locality
# S: StateOrProvinceName
# C: CountryName
#
openssl req -x509 \
            -new \
            -nodes \
            -key ubntCA.key \
            -sha256 \
            -days 3650 \
            -subj "/C=US/ST=IS/L=TOTALLY/O=CONFUSED/OU=HERE/CN=THEKEYMASTER.COM" \
            -out ubntCA.pem

print ""
print "Now install this cert (ubntCA.pem) in your workstations Trusted Root Authority."
print ""

}

function CreateServerCertificate {

if [ -f ./server.key ]; then rm ./server.key; fi
if [ -f ./server.csr ]; then rm ./server.csr; fi
if [ -f ./server.crt ]; then rm ./server.crt; fi

#
# Create A Certificate
#
openssl genrsa -out server.key 2048

#
# Now generate the certificate signing request.
#
openssl req -new \
            -key server.key \
            -subj "/C=US/ST=IS/L=ALSOTOTALLY/O=CONFUSED/OU=HERE/CN=GATEKEEPER.COM" \
            -out server.csr

#
# Now generate the final certificate from the signing request.
#
openssl x509 -req \
             -in server.csr \
             -CA ubntCA.pem \
             -CAkey ubntCA.key \
             -CAcreateserial \
             -extfile <(printf "subjectAltName=DNS:GATEKEEPER.COM") \
             -out server.crt -days 3650 -sha256

}

function CreateServerPem {

cat server.crt  > server.pem
cat server.key >> server.pem

}

   CreateCertificateAuthority
   CreateServerCertificate
   CreateServerPem

 

 

 

View solution in original post


All Replies
Emerging Member
Posts: 62
Registered: ‎10-03-2016
Kudos: 64
Solutions: 5

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

[ Edited ]

Well it still works... you just have to ignore the warnings Man Happy

 


2017-07-03_06h27_19.jpg

 

And then:

 

2017-07-03_06h27_39.jpg

 

Despite all the warnings your traffic is still encrypted.... You just can't be safe about a man in the middle attach.

 

Best regards,

 

   Alex

Established Member
Posts: 1,366
Registered: ‎07-07-2014
Kudos: 289
Solutions: 90

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

Like @cron-dk, I can get around the problem the same way, running Google Chrome 59.0.3071.115.  But that has ALWAYS been the workaround for self-signed certs for me on Chrome, this is not something that has changed in years in my experience.

Established Member
Posts: 1,328
Registered: ‎02-04-2015
Kudos: 745
Solutions: 55

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

This isn't really solving your problem and I know people hold their chosen browser next to their religion and political party, but have you considered Firefox?  It will

1. permanently store the security exception

2. still allow you to save your login on the "compromised" site

 

I use it to access all of my UBNT gear because of this (except Unifi-Video since it requires Chrome)

Member
Posts: 240
Registered: ‎12-22-2015
Kudos: 47
Solutions: 3

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

Chrome just won't trust manually imported certificates unless you're running a certificate authority, identifying the router by domain name, and have a complete cert chain

Firefox, you can just store the cert and never care again
Emerging Member
Posts: 50
Registered: ‎04-13-2017
Kudos: 14
Solutions: 1

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

I use a free SSL cert from https://letsencrypt.org

It requires I have a domain which I did so no extra cost beyond what I'm already paying and it works in all browsers.

Let me know if you want specific details of my set up.
New Member
Posts: 8
Registered: ‎07-04-2017
Kudos: 7

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

[ Edited ]

Hi I am new here, but thought I would share this as I recently went through replacing all the certs in my home lab.

I use the following to generate a proper CSR with SAN that the new Chome likes

 

You got to get this signed by either one of the CA out there or your "corporate" CA - I use AD CS.

 

 

openssl req \
  -new \
  -newkey rsa:4096 \
  -days 3650 \
  -nodes \
  -subj "/C=CC/ST=State/L=Location/O=Some Company Name/CN=ubnt.example.com" \
  -reqexts SAN \
  -config <(cat /etc/ssl/openssl.cnf \
    <(printf "[SAN]\nsubjectAltName='DNS:ubnt.example.com")) \
  -keyout ubnt.key \
  -out ubnt.csr

 

Emerging Member
Posts: 86
Registered: ‎03-28-2012
Kudos: 24
Solutions: 4

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

I appreciate all the suggestions but none actually answers the question, how to you create a self signed certificate that Google Chrome likes.

 

I think the answer is you no longer can.

 

Up to rev.57 you could create your own CA and sign the certificate. You would install the key from the CA in Trusted Root Authorities and use the cert that was signed by the CA and replace server.pem on your UBNT device. These steps would turn the status of your ERL3 to "GREEN", not to "NOT SECURE" with a slash through HTTPS but you could exception into your site. Even Firefox is not %100 happy and gives you a "YELLOW" warning even after making an exception.

 

The real rub is probably %99 of us are managing these small < $150 device in a LAN, not WAN. If you could as an option disable management at HTTPS and fallback to HTTP on the LAN side, no browser would complain.

 

End users should not have to have an outside 3rd party to get involved ( sign an unnecessary certificate ) just to keep a web browser from complaining in my LAN.

 

 

 

 

New Member
Posts: 1
Registered: ‎10-31-2016

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

Chrome 58 flags certificates that do not have the SAN (Subject Alternate Name) field populated. 

Emerging Member
Posts: 86
Registered: ‎03-28-2012
Kudos: 24
Solutions: 4

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

This is one script I used trying to get a certificate that made Chrome happy.

 

#!/bin/ksh


function CreateCertificateAuthority {

if [ -f ./ubntCA.key ]; then rm ./ubntCA.key; fi
if [ -f ./ubntCA.pem ]; then rm ./ubntCA.pem; fi

#
# Create the Root Key
#
openssl genrsa -out ubntCA.key 2048

#
# Now self-sign this certificate using the root key.
#
openssl req -x509 \
            -new \
            -nodes \
            -key ubntCA.key \
            -sha256 \
            -days 3650 \
            -subj "/C=US/ST=DAZED/L=CONFUSED/O=AUTHORITY/CN=BIGAUTHORITY.COM" \
            -out ubntCA.pem

print ""
print "Now install this cert (ubntCA.pem) into workstations Trusted Root Authority."
print ""

}

function CreateServerCertificate {

if [ -f ./server.key ]; then rm ./server.key; fi
if [ -f ./server.csr ]; then rm ./server.csr; fi
if [ -f ./server.crt ]; then rm ./server.crt; fi

#
# Create A Certificate
#
openssl genrsa -out server.key 2048

#
# Now generate the certificate signing request.
#
openssl req -new \
            -key server.key \
            -subj "/C=US/ST=DAZED/L=CONFUSED/O=ERL3/CN=localhost" \
            -out server.csr

#
# Now generate the final certificate from the signing request.
#
openssl x509 -req \
             -in server.csr \
             -CA ubntCA.pem \
             -CAkey ubntCA.key \
             -CAcreateserial \
             -extfile <(printf "subjectAltName=IP:192.168.1.1") \
             -out server.crt -days 3650 -sha256

}

function CreateServerPem {

cat server.crt  > server.pem
cat server.key >> server.pem

}

   CreateCertificateAuthority
   CreateServerCertificate
   CreateServerPem

Emerging Member
Posts: 86
Registered: ‎03-28-2012
Kudos: 24
Solutions: 4

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

Yes it is encrypted but until it's trusted you can no longer cache the passwords for this 'LAN' device.
Emerging Member
Posts: 62
Registered: ‎10-03-2016
Kudos: 64
Solutions: 5

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

[ Edited ]

You could make a local dns entry like: myrouter.local

and then generate a certificate for that FQDN with the SAN field set.

 

Or even more secure (like I do): only access the router with SSH and certificates Man Happy Then you don't need to store passwords in a browser. Having a webserver on a router is not the safest thing to do... and it is easily disabled.

 

Best regards,

   Alex

Emerging Member
Posts: 86
Registered: ‎03-28-2012
Kudos: 24
Solutions: 4

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

Thanks Alex, I'm going to try that. As long as Chrome is ok with the local DNS instead of a raw local IP and doesn't translate and still blacklist that should work.
Regular Member
Posts: 725
Registered: ‎01-29-2014
Kudos: 291
Solutions: 33

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

[ Edited ]

It IS possible, and it will NOT work using a .local domain name.

 

Step-by-step:

 

You need to install your self-issued root certificate as a trusted root certificate authority on whatever PC you use. Because this is not a generally trusted CA, you have to manually install and explicitly trust your root certificate. 

 

The certificate you issue for the ER must be for a valid FQDN.  

You can use: myerl.com  

You cannot use:  myerl.local

 

This FQDN does not need to actually be registered in DNS anywhere except for the system you are using.  A quick hack is to add an entry in your pc's local hosts file. Better, set up a static host mapping on your erl using something like:

set  system static-host-mapping host-name myerl.com inet 192.168.1.1

You can then browse to myerl.com in Chrome on your PC, which will take you to your ERL, and you will get the green lock (so long as you have issued the certificate correctly, including Chrome's minimum cert standards (you can't use sha-1, for example - must be sha-256 minimum).

Emerging Member
Posts: 86
Registered: ‎03-28-2012
Kudos: 24
Solutions: 4

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

I think I have a solution, it was member ( OZPhb 

 

 

 

 

 

   d. Start ( lighttpd ) with the command ( /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf )

 

4. Now I installed the ( ubntCA.pem and server.pem ) on both ( Chrome and Firefox ).

 

[ CHROME ]

Screen Shot 2017-07-06 at 7.58.06 PM.png

 

[ FIREFOX ]

 

Screen Shot 2017-07-06 at 8.20.37 PM.png

 

And this is what my certificate looks like.

 

Screen Shot 2017-07-06 at 7.56.46 PM.png

 

And this is the script I mentioned.

 

#!/bin/ksh

function CreateCertificateAuthority {

if [ -f ./ubntCA.key ]; then rm ./ubntCA.key; fi
if [ -f ./ubntCA.pem ]; then rm ./ubntCA.pem; fi

#
# Create the Root Key
#
openssl genrsa -out ubntCA.key 2048

#
# Now self-sign this certificate using the root key.
#
# CN: CommonName
# OU: OrganizationalUnit
# O: Organization
# L: Locality
# S: StateOrProvinceName
# C: CountryName
#
openssl req -x509 \
            -new \
            -nodes \
            -key ubntCA.key \
            -sha256 \
            -days 3650 \
            -subj "/C=US/ST=IS/L=TOTALLY/O=CONFUSED/OU=HERE/CN=THEKEYMASTER.COM" \
            -out ubntCA.pem

print ""
print "Now install this cert (ubntCA.pem) in your workstations Trusted Root Authority."
print ""

}

function CreateServerCertificate {

if [ -f ./server.key ]; then rm ./server.key; fi
if [ -f ./server.csr ]; then rm ./server.csr; fi
if [ -f ./server.crt ]; then rm ./server.crt; fi

#
# Create A Certificate
#
openssl genrsa -out server.key 2048

#
# Now generate the certificate signing request.
#
openssl req -new \
            -key server.key \
            -subj "/C=US/ST=IS/L=ALSOTOTALLY/O=CONFUSED/OU=HERE/CN=GATEKEEPER.COM" \
            -out server.csr

#
# Now generate the final certificate from the signing request.
#
openssl x509 -req \
             -in server.csr \
             -CA ubntCA.pem \
             -CAkey ubntCA.key \
             -CAcreateserial \
             -extfile <(printf "subjectAltName=DNS:GATEKEEPER.COM") \
             -out server.crt -days 3650 -sha256

}

function CreateServerPem {

cat server.crt  > server.pem
cat server.key >> server.pem

}

   CreateCertificateAuthority
   CreateServerCertificate
   CreateServerPem

 

 

 

Emerging Member
Posts: 79
Registered: ‎04-07-2017
Kudos: 16
Solutions: 2

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

Seems like you figured it out. To clarify, any browser will accept an SSL cert from a trusted CA, even if the host name resolves to an RFC1918 address. Simply put, SSL certainly are generated based on host name, not IP, so any certificate will fail when accessed by IP alone.
Emerging Member
Posts: 62
Registered: ‎10-03-2016
Kudos: 64
Solutions: 5

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

Great you got it working... Man Happy Just remember the weakness you bring to your pc by installing a homebrew root CA...

If your root-ca ever gets loose, it's quite easy to play man-in-the-middle on every single https site you visit from your pc.

 

If you are not very carefull, the risk of leaking your root-ca is many times bigger than all the official real CA's. I suppose that you are not using a HSM.

 

Best regards,

    Alex

New Member
Posts: 10
Registered: ‎11-05-2016

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

I'd be very interested to know how you did this Man Happy.

New Member
Posts: 1
Registered: ‎02-27-2018

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

Hi! I am new to EdgeMax product series and have little understanding about scripts on edge router. I am stuck on step 2 and step 3. Could you provide a more detail instruction on how to make a scrip, and run the script on the edge router?
Member
Posts: 238
Registered: ‎01-10-2016
Kudos: 48
Solutions: 21

Re: WANTED: Instructions for self-signed certificate that Google Chrome v58+ likes.

Just came across this thread as I need to remove my real public cert from my ER-POE as the cert is going to expire soon and I don't want to pay for another one.

The issue tha @cron-dk mentioned is real, but is easy enough to avoid: when you create the new CA root, set its cert with a very long expiry (10 years or more). When you create the cert for the router, set its cert to also have a very long expiry (but not longer than the CA root). After you've installed all the certs and keys necessary, destroy the CA root's private key, so that no more certs can be issued from that CA. If the key file is gone, it can't leak out :-)

Reply