[opensuse] Firefox - on the security exceptions - self-signed certificates
Hi, I set up Synology NAS server and allowed only HTTPS access for the web interface. It has self-signed certificate, but as it is only for internal purposes, it is not any problem. In Firefox, I went to the web interface. Of course, Firefox complained about invalid certificate. So that I added the secutiry exception. It was working fine, but as requested by our network admin, I had to change the network settings and set domain name. It seems Firefox has somehow related the certificate with the old network settings and it does not allow me to acces the site now. And there is no possibility to add the security exception, nothing. Firefox just points to https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure... I checked Firefox settings, but I didn't find respective certificate neither domain. So how can I add/change the security exception settings to acces the site now? Thanks, V. -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/
Vojtěch Zeisek wrote:
Hi, I set up Synology NAS server and allowed only HTTPS access for the web interface. It has self-signed certificate, but as it is only for internal purposes, it is not any problem. In Firefox, I went to the web interface. Of course, Firefox complained about invalid certificate. So that I added the secutiry exception.
Right.
It was working fine, but as requested by our network admin, I had to change the network settings and set domain name.
What does this mean? where did you what?
It seems Firefox has somehow related the certificate with the old network settings and it does not allow me to acces the site now.
Did the NAS server change name? A certificate is tied to the name - if your NAS server used to be called "vojtechnas", and it's now called "vojtechnas.local.network", that's the problem.
And there is no possibility to add the security exception, nothing. Firefox just points to
https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure...
I checked Firefox settings, but I didn't find respective certificate neither domain. So how can I add/change the security exception settings to acces the site now? Thanks,
Try deleting the earlier exception. -- Per Jessen, Zürich (19.0°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne pátek 6. května 2016 13:39:10 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
I set up Synology NAS server and allowed only HTTPS access for the web interface. It has self-signed certificate, but as it is only for internal purposes, it is not any problem. In Firefox, I went to the web interface. Of course, Firefox complained about invalid certificate. So that I added the secutiry exception.
Right.
It was working fine, but as requested by our network admin, I had to change the network settings and set domain name.
What does this mean? where did you what?
I obtained public IP address (it has static IP, I changed it respectively) and changed routing in its web interface.
It seems Firefox has somehow related the certificate with the old network settings and it does not allow me to acces the site now.
Did the NAS server change name? A certificate is tied to the name - if your NAS server used to be called "vojtechnas", and it's now called "vojtechnas.local.network", that's the problem.
Yes, there was such a change in the server name. I created new certificate, but Firefox still has the same problem... :-(
And there is no possibility to add the security exception, nothing. Firefox just points to https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure -mean I checked Firefox settings, but I didn't find respective certificate neither domain. So how can I add/change the security exception settings to acces the site now? Thanks,
Try deleting the earlier exception.
I'd like to do so, but I didn't find the right place where it is stored... :-( -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/
Vojtěch Zeisek wrote:
I checked Firefox settings, but I didn't find respective certificate neither domain. So how can I add/change the security exception settings to acces the site now? Thanks,
Try deleting the earlier exception.
I'd like to do so, but I didn't find the right place where it is stored... :-(
It's under Preferences->Advanced->Certificates. -- Per Jessen, Zürich (21.3°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne pátek 6. května 2016 16:08:51 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
I checked Firefox settings, but I didn't find respective certificate neither domain. So how can I add/change the security exception settings to acces the site now? Thanks,
Try deleting the earlier exception.
I'd like to do so, but I didn't find the right place where it is stored... :-(
It's under Preferences->Advanced->Certificates.
Weird. This certificate/server is missing from the list. There is possibility to manually add the exception, but it says that fetching security informations failed. ANd Firefox keeps having same problem. Opera and Chromium work fine. -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/
On 2016-05-06 16:36, Vojtěch Zeisek wrote:
Dne pátek 6. května 2016 16:08:51 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
I checked Firefox settings, but I didn't find respective certificate neither domain. So how can I add/change the security exception settings to acces the site now? Thanks,
Try deleting the earlier exception.
I'd like to do so, but I didn't find the right place where it is stored... :-(
It's under Preferences->Advanced->Certificates.
Weird. This certificate/server is missing from the list. There is possibility to manually add the exception, but it says that fetching security informations failed. ANd Firefox keeps having same problem. Opera and Chromium work fine.
Have you tried Firefox in safe mode and/or with a different profile? Or you could try installing a fresh copy of Firefox from Mozilla under say /opt to see if that resolves the problem. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne pátek 6. května 2016 16:41:46 CEST, Dave Howorth napsal(a):
On 2016-05-06 16:36, Vojtěch Zeisek wrote:
Dne pátek 6. května 2016 16:08:51 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
I checked Firefox settings, but I didn't find respective certificate neither domain. So how can I add/change the security exception settings to acces the site now? Thanks,
Try deleting the earlier exception.
I'd like to do so, but I didn't find the right place where it is stored... :-(
It's under Preferences->Advanced->Certificates.
Weird. This certificate/server is missing from the list. There is possibility to manually add the exception, but it says that fetching security informations failed. ANd Firefox keeps having same problem. Opera and Chromium work fine. Have you tried Firefox in safe mode and/or with a different profile?
Or you could try installing a fresh copy of Firefox from Mozilla under say /opt to see if that resolves the problem.
It works then, but I don't have all my history, bookmarks, add-ons, ... in such Firefox... When switching back, it is the same again. -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/
Am Freitag, 6. Mai 2016, 18:14:13 schrieb Vojtěch Zeisek:
Dne pátek 6. května 2016 16:41:46 CEST, Dave Howorth napsal(a): [...]
Or you could try installing a fresh copy of Firefox from Mozilla under say /opt to see if that resolves the problem.
It works then, but I don't have all my history, bookmarks, add-ons, ... in such Firefox... When switching back, it is the same again.
So, this copy will not use your profile that may cause problem. Could you temporarily move the following files of your profile to a safe place while firefox is not running, restart firefox and try again: cert_override.txt (your security exceptions) SiteSecurityServiceState.txt (your HSTS states) cert8.db (your imported certificates) Gruß Jan -- No snowflake in an avalanche ever feels responsible. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne sobota 7. května 2016 9:48:43 CEST, Jan Ritzerfeld napsal(a):
Am Freitag, 6. Mai 2016, 18:14:13 schrieb Vojtěch Zeisek:
Dne pátek 6. května 2016 16:41:46 CEST, Dave Howorth napsal(a):
Or you could try installing a fresh copy of Firefox from Mozilla under say /opt to see if that resolves the problem.
It works then, but I don't have all my history, bookmarks, add-ons, ... in such Firefox... When switching back, it is the same again.
So, this copy will not use your profile that may cause problem. Could you temporarily move the following files of your profile to a safe place while firefox is not running, restart firefox and try again: cert_override.txt (your security exceptions) SiteSecurityServiceState.txt (your HSTS states) cert8.db (your imported certificates)
Weird, but this did not help. :-( -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/
Am Sonntag, 8. Mai 2016, 10:02:11 schrieb Vojtěch Zeisek:
Dne sobota 7. května 2016 9:48:43 CEST, Jan Ritzerfeld napsal(a):
Am Freitag, 6. Mai 2016, 18:14:13 schrieb Vojtěch Zeisek: [...]
It works then, but I don't have all my history, bookmarks, add-ons, ... in such Firefox... When switching back, it is the same again.
So, this copy will not use your profile that may cause problem. Could you temporarily move the following files of your profile to a safe place while firefox is not running, restart firefox and try again: cert_override.txt (your security exceptions) SiteSecurityServiceState.txt (your HSTS states) cert8.db (your imported certificates)
Weird, but this did not help. :-(
Too bad. Since it works with a new profile, it might help to "refresh firefox". This will reset many settings and remove extensions but not your history and bookmarks. See here for details: https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-setti... Gruß Jan -- All religions issue Bibles against Satan, and say the most injurious things against him, but we never hear his side! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Vojtěch Zeisek wrote:
Dne pátek 6. května 2016 16:08:51 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
I checked Firefox settings, but I didn't find respective certificate neither domain. So how can I add/change the security exception settings to acces the site now? Thanks,
Try deleting the earlier exception.
I'd like to do so, but I didn't find the right place where it is stored... :-(
It's under Preferences->Advanced->Certificates.
Weird. This certificate/server is missing from the list. There is possibility to manually add the exception, but it says that fetching security informations failed. ANd Firefox keeps having same problem.
Was it a temporary exception? If so, you have to restart Firefox to clear it. -- Per Jessen, Zürich (22.8°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne pátek 6. května 2016 17:52:24 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
Dne pátek 6. května 2016 16:08:51 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
I checked Firefox settings, but I didn't find respective certificate neither domain. So how can I add/change the security exception settings to acces the site now? Thanks,
Try deleting the earlier exception.
I'd like to do so, but I didn't find the right place where it is stored... :-(
It's under Preferences->Advanced->Certificates.
Weird. This certificate/server is missing from the list. There is possibility to manually add the exception, but it says that fetching security informations failed. ANd Firefox keeps having same problem.
Was it a temporary exception? If so, you have to restart Firefox to clear it.
It was permanent exception. But it is not listed. I tried to export the certificate in Opera and import it into Firefox. And it doesn't work - still same error... -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/
On 2016-05-06 12:58, Vojtěch Zeisek wrote:
Hi, I set up Synology NAS server and allowed only HTTPS access for the web interface. It has self-signed certificate, but as it is only for internal purposes, it is not any problem. In Firefox, I went to the web interface. Of course, Firefox complained about invalid certificate. So that I added the secutiry exception. It was working fine, but as requested by our network admin, I had to change the network settings and set domain name.
You also have to renew the certificate at the site, and it has to refer to the actual domain, not the old one. If you don't, firefox will deny access as the certificate of the site does not match the name of the site. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Dne sobota 7. května 2016 13:31:12 CEST, Carlos E. R. napsal(a):
On 2016-05-06 12:58, Vojtěch Zeisek wrote:
Hi, I set up Synology NAS server and allowed only HTTPS access for the web interface. It has self-signed certificate, but as it is only for internal purposes, it is not any problem. In Firefox, I went to the web interface. Of course, Firefox complained about invalid certificate. So that I added the secutiry exception. It was working fine, but as requested by our network admin, I had to change the network settings and set domain name.
You also have to renew the certificate at the site, and it has to refer to the actual domain, not the old one. If you don't, firefox will deny access as the certificate of the site does not match the name of the site.
Sure, I did this. -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/
Am Freitag, 6. Mai 2016, 12:58:05 schrieb Vojtěch Zeisek:
[...] I set up Synology NAS server and allowed only HTTPS access for the web interface. It has self-signed certificate, but as it is only for internal purposes, it is not any problem.
Well, current browsers do not like self-signed certificates. So, I would suggest that you create your own CA, deploy its certificate on all of the internal clients, create a certificate for your NAS with matching SANs, and sign it with your own CA certificate. This will be pretty efficient if you want to secure multiple internal servers because you only have to deploy exactly one certificate to get rid off all the browser warnings. I did this for my NAS, printer, and router. If you need any help, I will be happy to provide openssl configuration files and the corresponding commands to create all of the above. However, if "internal purposes" means that only a limited set of people should access the Web Server of your NAS via a regular domain name then upgrade to DSM 6 and use Let's Encrypt to remove the necessity of creating and deploying any CA certificate at all. I cannot do it this way because my NAS is accessible only via VPN, intentionally. Gruß Jan -- To think is easy and to act is hard, but the hardest thing in the world is to act in accordance with your thinking. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne sobota 7. května 2016 17:52:32 CEST, Jan Ritzerfeld napsal(a):
Am Freitag, 6. Mai 2016, 12:58:05 schrieb Vojtěch Zeisek:
I set up Synology NAS server and allowed only HTTPS access for the web interface. It has self-signed certificate, but as it is only for internal purposes, it is not any problem.
Well, current browsers do not like self-signed certificates. So, I would suggest that you create your own CA, deploy its certificate on all of the internal clients, create a certificate for your NAS with matching SANs, and sign it with your own CA certificate. This will be pretty efficient if you want to secure multiple internal servers because you only have to deploy exactly one certificate to get rid off all the browser warnings. I did this for my NAS, printer, and router. If you need any help, I will be happy to provide openssl configuration files and the corresponding commands to create all of the above.
However, if "internal purposes" means that only a limited set of people should access the Web Server of your NAS via a regular domain name then
Yes, it is the case, so that I think own CA is too much work...
upgrade to DSM 6 and use Let's Encrypt to remove the necessity of creating and deploying any CA certificate at all. I cannot do it this way because my NAS is accessible only via VPN, intentionally.
I did upgrade to DSM 6. Do You have experience with Let's Encrypt? I wonder why it needs port 80 opened... -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/
Vojtěch Zeisek wrote:
Dne sobota 7. května 2016 17:52:32 CEST, Jan Ritzerfeld napsal(a):
Am Freitag, 6. Mai 2016, 12:58:05 schrieb Vojtěch Zeisek:
I set up Synology NAS server and allowed only HTTPS access for the web interface. It has self-signed certificate, but as it is only for internal purposes, it is not any problem.
Well, current browsers do not like self-signed certificates. So, I would suggest that you create your own CA, deploy its certificate on all of the internal clients, create a certificate for your NAS with matching SANs, and sign it with your own CA certificate. This will be pretty efficient if you want to secure multiple internal servers because you only have to deploy exactly one certificate to get rid off all the browser warnings. I did this for my NAS, printer, and router. If you need any help, I will be happy to provide openssl configuration files and the corresponding commands to create all of the above.
However, if "internal purposes" means that only a limited set of people should access the Web Server of your NAS via a regular domain name then
Yes, it is the case, so that I think own CA is too much work...
upgrade to DSM 6 and use Let's Encrypt to remove the necessity of creating and deploying any CA certificate at all. I cannot do it this way because my NAS is accessible only via VPN, intentionally.
I did upgrade to DSM 6. Do You have experience with Let's Encrypt? I wonder why it needs port 80 opened...
That's how it communicates with the core server. -- Per Jessen, Zürich (15.8°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne neděle 8. května 2016 10:19:59 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
Dne sobota 7. května 2016 17:52:32 CEST, Jan Ritzerfeld napsal(a):
Am Freitag, 6. Mai 2016, 12:58:05 schrieb Vojtěch Zeisek:
I set up Synology NAS server and allowed only HTTPS access for the web interface. It has self-signed certificate, but as it is only for internal purposes, it is not any problem.
Well, current browsers do not like self-signed certificates. So, I would suggest that you create your own CA, deploy its certificate on all of the internal clients, create a certificate for your NAS with matching SANs, and sign it with your own CA certificate. This will be pretty efficient if you want to secure multiple internal servers because you only have to deploy exactly one certificate to get rid off all the browser warnings. I did this for my NAS, printer, and router. If you need any help, I will be happy to provide openssl configuration files and the corresponding commands to create all of the above.
However, if "internal purposes" means that only a limited set of people should access the Web Server of your NAS via a regular domain name then
Yes, it is the case, so that I think own CA is too much work...
upgrade to DSM 6 and use Let's Encrypt to remove the necessity of creating and deploying any CA certificate at all. I cannot do it this way because my NAS is accessible only via VPN, intentionally.
I did upgrade to DSM 6. Do You have experience with Let's Encrypt? I wonder why it needs port 80 opened...
That's how it communicates with the core server.
So could I allow connection on port 80 only from certain IP? -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/
Vojtěch Zeisek wrote:
Dne neděle 8. května 2016 10:19:59 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
Dne sobota 7. května 2016 17:52:32 CEST, Jan Ritzerfeld napsal(a):
Am Freitag, 6. Mai 2016, 12:58:05 schrieb Vojtěch Zeisek:
I set up Synology NAS server and allowed only HTTPS access for the web interface. It has self-signed certificate, but as it is only for internal purposes, it is not any problem.
Well, current browsers do not like self-signed certificates. So, I would suggest that you create your own CA, deploy its certificate on all of the internal clients, create a certificate for your NAS with matching SANs, and sign it with your own CA certificate. This will be pretty efficient if you want to secure multiple internal servers because you only have to deploy exactly one certificate to get rid off all the browser warnings. I did this for my NAS, printer, and router. If you need any help, I will be happy to provide openssl configuration files and the corresponding commands to create all of the above.
However, if "internal purposes" means that only a limited set of people should access the Web Server of your NAS via a regular domain name then
Yes, it is the case, so that I think own CA is too much work...
upgrade to DSM 6 and use Let's Encrypt to remove the necessity of creating and deploying any CA certificate at all. I cannot do it this way because my NAS is accessible only via VPN, intentionally.
I did upgrade to DSM 6. Do You have experience with Let's Encrypt? I wonder why it needs port 80 opened...
That's how it communicates with the core server.
So could I allow connection on port 80 only from certain IP?
Well, Let's Encrypt in the default/automatic mode assumes you are running a webserver on the same machine. To carry out the domain validation, Let's Encrypt needs to access your webserver. I would presume multiple possible source IPs, but I don't know. -- Per Jessen, Zürich (16.5°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Sonntag, 8. Mai 2016, 10:05:15 schrieb Vojtěch Zeisek:
Dne sobota 7. května 2016 17:52:32 CEST, Jan Ritzerfeld napsal(a): [...]
However, if "internal purposes" means that only a limited set of people should access the Web Server of your NAS via a regular domain name then
Yes, it is the case, so that I think own CA is too much work...
Well, it is not that easy, but I think deploying your CA certificate on all the clients might be too much work if you have to persuade the users of the clients to trust all of your certificates even if the ones issued for *.google.com. ;)
upgrade to DSM 6 and use Let's Encrypt to remove the necessity of creating and deploying any CA certificate at all. I cannot do it this way because my NAS is accessible only via VPN, intentionally.
I did upgrade to DSM 6. Do You have experience with Let's Encrypt? I wonder why it needs port 80 opened...
No, because I do not want to expose my NAS to the whole Internet. And Let's Encrypt needs port 80 or 443 opened to validate your ownership of the domain regularly. This is why Let's Encrypt certificates expire pretty soon. So, if you want to restrict access to your NAS via IP addresses, you cannot use the automatic renewal of your certificate and have to do this manually, every 90 days. And this is why "I cannot do it this way" but I still like the idea of Let's Encrypt very much. Gruß Jan -- It's better to keep your mouth shut and appear stupid, than to open it and remove all doubt. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Carlos E. R.
-
Dave Howorth
-
Jan Ritzerfeld
-
Per Jessen
-
Vojtěch Zeisek