Https issues with browser (self signed cert not working)

waynea · June 6, 2020, 3:20pm

Hi all, can anyone tell me what im doing wrong? Aim is to get browser (Firefox) to trust a certificate generated using the guide at

https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings

so i dont get the insecure warning when i log on to LuCI

all went well, with mycert.crt and mycert.key generated ok. But trying to import the crt to firefox (or Chrome) fails. I use preferences > privacy & security > certificates > view certificates and then navigate to the crt on my laptop. Hitting import generates the error "this personal certificate cannot be installed because you do not own the corresponding private key which was created when the certificate was requested."
I tried copying the key from my router, but still get this error when I try to import it.

any ideas??

lleachii · June 6, 2020, 5:16pm

What happens when you add by browsing to the page?

waynea · June 6, 2020, 5:19pm

ive rebooted the laptop and still get the insecure warning from firefox...

slh · June 6, 2020, 8:22pm

It imho makes more sense to add OpenWrt's self-generated ssl cert to the few devices regularly used for administration tasks (as in accepting the certificate once, and yes, that works in firefox), than to generate a local CA and certs as described in that guide. The local CA is a) more work to create and deploy and b) has man-in-the-middle potential and might become a serious security risk, if not treated properly.

waynea · June 6, 2020, 8:32pm

ooh...I didnt know I could do that, is there any instructions anywhere?

slh · June 6, 2020, 8:43pm

When encountering a self-signed certificate, firefox will offer you to create an override for it (to remember it), afterwards it won't bother you about this device/ cert combination anymore (aside from displaying a yellow warning label over the ssl-lock in the URL bar).

waynea · June 7, 2020, 10:46am

Hi there
my version of firefox (77.0.i) for Linux, doesn't offer to store the exception. It can just go back (recommended) or accept the risk and continue.
FF doesn't store the 'accept the risk' and theer is no button to create a permanent exception

slh · June 7, 2020, 11:26am

$ LANG= dpkg -l firefox | cat -
Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend|/ Err?=(none)/Reinst-required (Status,Err:uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  firefox        77.0-1       amd64        Mozilla Firefox web browser

there is.

waynea · June 7, 2020, 12:19pm

this is what I see when i go to LuCi - with no option to make a permanent exception.

tmomas · June 7, 2020, 3:23pm

What happens when you click on "Accept the Risk and Continue"?

waynea · June 7, 2020, 3:36pm

it takes me to the LuCi login page

lleachii · June 9, 2020, 4:56pm

That sounded like your solution...but...odd they don't have the option available like in older versions...

Well, you can also hit "Accept the Risk and Continue;" but if you insist on the permanent exception:

AndrewZ · June 9, 2020, 5:10pm

My way: generate CA, then certs. Install cert on the device, import CA in the browser.

waynea · June 11, 2020, 9:13am

Hiya
thought that had solved it, the server tab now logs the self signed cert as permanent, but on rebooting and log on to Luci I still get the browser warning!
Maybe this is something Ill just have to live with...