LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-11-2017, 03:31 PM   #1
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,285

Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Help! LinuxMint: GoogleChrome: HTTPS: Self-signed certificates


How do I force Google Chrome to permanently accept a self-signed certificate for an HTTPS connection? This is trivially easy in Firefox, but I can't find how to do it in Chrome. I've searched Google, and there are all kinds of procedures documented, except none of them appear applicable for me. Some say to export the sites certificate then import it. But I can't find any way to export the sites certificate in Chrome (or even view it!) Some instructions say to click on the "X" on the lock icon in the location bar and you can navigate to export from there. I don't have a lock icon. I have a triangle with an exclamation mark. Clicking on it indeed brings up a menu, but nothing about SSL certs is present. Some instructions say to import directly into Chrome via certificate management, others say you must use a command line utility ("certutil", or something like that).

Nothing in any of the differing instructions I have found match what Chrome is letting me do. Does each new version of Chrome have a totally different interface for doing things, or what?

This is my own website, hosted on a Raspberry Pi about 18 inches from the other Linux computer I am trying to access it with. I don't need an officially signed certificate (or the cost incurred by that). Nor do I want to use the free signing service "LetsEncrypt", because you have to go back and validate/renew your signed certificate every 90 days with them. I'm perfectly happy with self-signed. But Chrome does not appear to be at all willing to let me use that.

[ Note: I don't technically need to export the sites cert from Chrome, because I own the site, created the cert myself, and installed it myself. So of course I have access to it. But eventually others, besides me, are going to use this website and they won't have direct access to the cert as I do - they'll need to export it from Chrome. I guess they could export it using Firefox, but that's a heavy requirement - to install a completely different web browser - just so you can export a cert! ]

Help!

Running Google Chrome on LinuxMint Sarah 64 bit, Mate desktop

Google Chrome version: 57.0.2987.98 (Official Build) (64-bit)

Thanks in advance for any suggestions.

[edit] In Chrome, you CAN get through to the self-signed cert protected website. But Chrome prominently displays a bold red "This site is not secure!" warning in your face (even after you've told Chrome to proceed to the site). That doesn't scare me, because I know what it means, but that will not be the case for my other users. Firefox displays a much more subdued warning that specifically tells you that your communications are indeed encrypted, but that the cert is not signed by a recognized authority. So my issue is not that I can't physically get through to the site using Chrome, the issue is that Chrome refuses to shut up with it's end-of-the-world scare tactics even after you tell it to proceed. [/edit]

Last edited by haertig; 03-11-2017 at 03:41 PM.
 
Old 03-11-2017, 07:11 PM   #2
cloud4g
LQ Newbie
 
Registered: Aug 2013
Posts: 3

Rep: Reputation: Disabled
If you have a fully qualified domain name registered for you web site, the best thing to do, IMO, is to use Letsencrypt to create free domain certificates for your site. The process is easy after doing a bit of reading. If you are using a host interface such as control panel or Virtualmin/Webmin you can simply install letsencrypt on your server and then use the host interface to generate the cert. Letsencrypt installs a file folder under your html home directory (usuall under www or pulic_html/yourserver). It uses that to verify that you are the legitimate owner of the FQ domain.

Once that is set up, you can have the certificate reissued automatically so that it will never expire (unless something goes blip in the night).

The advantage of using Letsencypt is that not only you can use the site using Google Chrome or most any other browser without the exception hassle, but anyone else can use it. It is also a good thing to learn how to do in case you want to set up other sites.
 
Old 03-11-2017, 08:55 PM   #3
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,285

Original Poster
Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
If LetsEncrypt will allow auto-renew, then I'll look into that further. I didn't think it allowed that. Chances are, I would forget to renew manually every 90 days (more like, "with 100% probability I'd forget to renew"!) so that is why I didn't want to use LetsEncrypt. I will investigate that auto-renew stuff so more.

Still, I'd like to know how to force stupid Chrome to accept self-signed certs. That seems like a glaring omission in that browser. Maybe now "omission", but making it so hard to complete the task. So far, I haven't found any way to complete the task, so for all practical purposes in my current situation, it is an omission.
 
Old 03-12-2017, 01:33 AM   #4
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 17,403
Blog Entries: 10

Rep: Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214
Quote:
Originally Posted by haertig View Post
In Chrome, you CAN get through to the self-signed cert protected website. But Chrome prominently displays a bold red "This site is not secure!" warning in your face (even after you've told Chrome to proceed to the site). That doesn't scare me, because I know what it means, but that will not be the case for my other users.
this is part of Google's policy.
they think they can decide which parts of the internet are secure and which aren't. and since google apps and services are everywhere, they can.

similar complaints to their email services:
if you have a slightly non-standard setup, your emails go to spam. nothing to do about it.
 
Old 03-12-2017, 06:29 PM   #5
cloud4g
LQ Newbie
 
Registered: Aug 2013
Posts: 3

Rep: Reputation: Disabled
Quote:
Originally Posted by haertig View Post
If LetsEncrypt will allow auto-renew, then I'll look into that further. I didn't think it allowed that. Chances are, I would forget to renew manually every 90 days (more like, "with 100% probability I'd forget to renew"!) so that is why I didn't want to use LetsEncrypt. I will investigate that auto-renew stuff so more.

Still, I'd like to know how to force stupid Chrome to accept self-signed certs. That seems like a glaring omission in that browser. Maybe now "omission", but making it so hard to complete the task. So far, I haven't found any way to complete the task, so for all practical purposes in my current situation, it is an omission.
You can set up a CRON job through the command line or use a host interface module if the one you use is so equipped. Letsencrypt's server does not do this for you, it just serves up the certificates.

Email can use the FQDN cert but you need to set up your mail server so that it complies with CAN SPAM or else your emails will be filtered out and your domain will get blacklisted. Postfix and other mailservers can be set up. I use Virtualmin/Webmin which I recommend if you want to host your own mailserver. You need to have a secured server as a first step.
 
Old 03-12-2017, 08:37 PM   #6
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,285

Original Poster
Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Thanks. I don't need a mail server for this application. My wife and kids and son-in-law were all running out of cloud storage. Most of that was iCloud, but one uses Windows and has some other cloud set up. So it was either they had to each start paying for additional cloud space, which gets expensive real fast once you've passed the "free" allotments, or I would provide them with some private cloud space. So I implemented "NextCloud" on a Raspberry Pi 3, adding an unused old external 250Gb drive for storage, and now they have LOTS of cloud space available. The Pi 3 is perfect for this application. Dirt cheap, and plenty fast enough (thus far in my testing).

These are not the folks I worried about seeing Chrome's dire "This site is not secure!" warnings. I will soon be creating a guest account set up on NextCloud where I can make larger files available for transfer to friends and associates without running into email size limits that nuke large file transfers. I was investigating how to configure Chrome to stop the screaming and yelling about the self-signed cert, so I could inform them how to do that.

You can see how Chrome gives you it's in-your-face fear-mongering warning in the screenshot below. This is AFTER you've already gotten past the really scary warning, and told Chrome that it's OK to continue to the site.
Attached Thumbnails
Click image for larger version

Name:	nc.jpg
Views:	23
Size:	73.8 KB
ID:	24491  

Last edited by haertig; 03-12-2017 at 08:38 PM.
 
Old 03-13-2017, 01:40 AM   #7
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 17,403
Blog Entries: 10

Rep: Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214Reputation: 5214
Quote:
Originally Posted by haertig View Post
I implemented "NextCloud" on a Raspberry Pi 3, adding an unused old external 250Gb drive for storage, and now they have LOTS of cloud space available.
that's the way!
nice!

a little thought:
is it really necessary to have https for this?
 
Old 03-13-2017, 08:27 AM   #8
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,232
Blog Entries: 4

Rep: Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260
Quote:
Originally Posted by haertig View Post
If LetsEncrypt will allow auto-renew, then I'll look into that further. I didn't think it allowed that. Chances are, I would forget to renew manually every 90 days (more like, "with 100% probability I'd forget to renew"!) so that is why I didn't want to use LetsEncrypt. I will investigate that auto-renew stuff so more.

Still, I'd like to know how to force stupid Chrome to accept self-signed certs. That seems like a glaring omission in that browser. Maybe now "omission", but making it so hard to complete the task. So far, I haven't found any way to complete the task, so for all practical purposes in my current situation, it is an omission.
Renewal of LetsEncrypt certificates is done by the so-called "ACME Client," which can be run periodically. (In fact, LetsEncrypt suggests running it at random times once per day, just in case there's a certificate-revocation issue to attend to.)

Myself, being a lot more lazy, I set up a systemd .service/.timer which runs once a month.

To me, Chrome is a browser that has de-evolved into "something that is specifically designed for you to consume GoogleŽ services with." It is simply not a good choice to use for internal purposes where self-signed certificates might be the norm, and where provisions have been made to designate these certificates as "trusted" within that internal network. Chrome simply does not play nicely with that scenario. (However, in that scenario, "any [other ...] browser should do." You can't necessarily predict, in those cases, which browser you might be talking to anyway.)

Last edited by sundialsvcs; 03-13-2017 at 08:29 AM.
 
Old 03-13-2017, 12:24 PM   #9
cloud4g
LQ Newbie
 
Registered: Aug 2013
Posts: 3

Rep: Reputation: Disabled
Quote:
Originally Posted by sundialsvcs View Post
Renewal of LetsEncrypt certificates is done by the so-called "ACME Client," which can be run periodically. (In fact, LetsEncrypt suggests running it at random times once per day, just in case there's a certificate-revocation issue to attend to.)

Myself, being a lot more lazy, I set up a systemd .service/.timer which runs once a month.

To me, Chrome is a browser that has de-evolved into "something that is specifically designed for you to consume GoogleŽ services with." It is simply not a good choice to use for internal purposes where self-signed certificates might be the norm, and where provisions have been made to designate these certificates as "trusted" within that internal network. Chrome simply does not play nicely with that scenario. (However, in that scenario, "any [other ...] browser should do." You can't necessarily predict, in those cases, which browser you might be talking to anyway.)
I am now using Letsencrypt as the default domain cert. It is not hard to set up and I have not run into any problems with automatic renewals. Of course, LE has limitations: It is a FQDN domain certificate and does not prove that the site is secure for commercial use, ie, does not certify the site as a business or the owner of the domain beyond that fact that the domain is apparently in the control of the owner. That is a limited chain of authority.

What I hope happens is that LE provides more competition so that commercial certificates become less expensive and better automated.
 
Old 03-15-2017, 01:54 AM   #10
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,285

Original Poster
Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Quote:
Originally Posted by sundialsvcs View Post
To me, Chrome is a browser that has de-evolved into "something that is specifically designed for you to consume GoogleŽ services with."
While that is probably true, I switched from Firefox to Chrome a while back for two reasons: (1) Chrome loads in 1/3 the time Firefox does, maybe even faster than that, (2) Chrome does a better job of playing MP4 movies from my Plex Media Server than Firefox. Firefox sometimes has audio anomalies and does not do a very good job of deinterlacing. I don't know if it is Firefoxes job to deinterlace, but see a lot more of those horizontal lines in Firefox than in Chrome (where they are basically non-existent). Flash, with all it's problems, will continue to be supported in Chrome (I think), but not in Firefox (Flash may still be in Firefox now, but it's on its way out). Not that I particularly like Flash, actually I kind of hate it, but sometimes Flash is required for a website, like it or not.

I was hesitant to switch to Chrome because I believe it spies on you more than Firefox (I have done everything I could find to stop that, but I still have a sneaking suspicion that it is). I have never had such concerns about Firefox. And Firefox has the "Tree Style Tabs" add-on which is fantastic. Chrome doesn't have anything close. There is a hokey Chrome add-on that opens a second window to display tabs in a tree format, but it is far inferior to the Firefox add-on. I often download movie trailers from YouTube (for use with my Plex Media Server). Chrome has different add-ons for downloading videos, but they all choke on YouTube these days (they didn't used to). The Firefox add-ons work with YouTube. For example, "Video Download Helper" is an add-on that is available for both Firefox and Chrome. This add-on will grab videos from YouTube in Firefox, but not in Chrome. I can't say that all videos are affected, as the only ones I attempt to download are movie trailers. With Chrome, I have to go over to IMBD to download a trailer. With Firefox I can get them from either IMBD or YouTube. YouTube generally has more to choose from, so I prefer that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot import self-signed certificate using update-ca-certificates kikinovak Slackware 13 01-14-2017 10:05 AM
Self-signed certificates vs. server migration kikinovak Slackware 2 09-08-2013 02:30 AM
[SOLVED] How do you create your own ssl CA and signed certificates WITHOUT scripts? TJNII Linux - Security 3 12-19-2011 03:19 PM
LXer: Self-signed certificates and Firefox 3 - a possible solution LXer Syndicated Linux News 0 08-10-2008 08:11 AM
Kontact will not accept self signed certificates apostate Linux - Software 0 03-01-2006 01:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration