Self-signed certs no longer work

Just tried buiding a new GVM 21.04 installation. Once I got through the changes from the previous release, I was able to complete a successful build on a Rocky 8 linux host.

However, I could not connect! Chrome and also EDGE seem to have been recently updated with somewhat stricter security checking. I got an error about the certs being invalid (the usual…), BUT, I could not log in with the exception of using an outdated copy of Firefox. All I got was the error about the cert being invalid. Do not pas go. Do not collect $200. No option to override and proceed.

In the past, with Chrome etc you’d get the error, but then had the option under the advanced tab to “accept and proceed”. This appears to no longer be the case.

I then shut things down and fired up gsad using “http-only” so I could at least do some testing (all good), and then ended up using actual real SSL certs for my GVM installation acquired from INCOMMON via out IT dept.

I cannot say FOR CERTAIN that this isn’t something specific to my own browsers, but I’m pretty sure this is a browser change across the board that will ultimately effect everyone building GVM from source and using the default certs.

I was able to still connect to my older 20.08 host, but I believe that still worked because that had been “accepted” as an exception long ago in my browser.

Anyway, not sure what can be done about it other than to give people a heads up in case you run into this.

hello @caseybea,

If I correctly understand the main issue, then the best Linux practice is to cover the GSA WUI via Nginx and implement a server-free signed Let’s Encrypt certificate for your FQDN of Rocky 8 Linux host.

It should be a basic configuration to provide port 443 to GSA 8080 and the rewrite rule to force tls when communication is coming to port 80.

SSL certificate could be your own organization signed by organization CAs.

With this configuration “behind Nginx” you are able to adhere to Chrome and Firefox restrictions.

1 Like

Just setup a small TinyCA and Import the root trust into your browser. That will work fine and you don´t get any of this warnings. Firefox still accept override if you use private IPs for the Management. Chrome changed the policy and blocks mostly all IPMI, BMC, Network-Devices, Firewalls and VM Solutions by this move. It was industry standard to ship with self singed and this will not go away anyway.

Plus you certificates are technically the same as you pay for them an they could be valid for 10 years :wink:

1 Like