Skip to content

SSL on ip-adresses: net::ERR_CERT_AUTHORITY_INVALID #287

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
coderofsalvation opened this issue Apr 2, 2025 · 4 comments
Open

SSL on ip-adresses: net::ERR_CERT_AUTHORITY_INVALID #287

coderofsalvation opened this issue Apr 2, 2025 · 4 comments

Comments

@coderofsalvation
Copy link

coderofsalvation commented Apr 2, 2025
edited
Loading 

  websocat -E -b -s --pkcs12-der ~/.websocat/q.pkcs12 0.0.0.0:9090 2>&i1

I can connect succesfully on my local machine (from webpage https://localhost:8080/index.html with a websocket client)
However, when I load that same webpage on another device via its external ip (`https://192.168.0.44:8080/index.html), then the webbrowser fails and throws:

WebSocket connection to 'wss://192.168.0.44:9090/' failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID

This seems no issue when using real domains, certificates, or reverse/websocket proxies.
However, just out of intranet curiosity: is there an easy way to get websocat encryption with IP-adresses?
@vi
Copy link
Owner

vi commented Apr 2, 2025

How q.pkcs12 was obtained? Maybe it was generated from /etc/ssl/private/ssl-cert-snakeoil.key or was previously marked as trusted in that browser?

encryption

If you need just encryption (protection against passive attacks, but not against active connection proxying), then -k or a per-message encryption would suffice.

In any case the proper way to use TLS in intranet would be using your own CA and adding its certificate where needed across the intranet.

@coderofsalvation
Copy link
Author

coderofsalvation commented Apr 2, 2025
edited
Loading

/etc/ssl/private/ssl-cert-snakeoil.key <--- 😆

sorry for providing incomplete info, here's how it was generated:

  test -f ~/.websocat/cert.pem && return 0
  mkdir ~/.websocat 2>/dev/null || true
  echo "--- generating temporary SSL certs (press enter to all questions) ---"
  openssl req -x509 -newkey rsa:2048 -new -nodes -keyout ~/.websocat/key.pem -out ~/.websocat/cert.pem -days 3650
  openssl pkcs12 -export -out ~/.websocat/q.pkcs12 -inkey ~/.websocat/key.pem -in ~/.websocat/cert.pem

@vi
Copy link
Owner

vi commented Apr 2, 2025
edited
Loading

This looks like a simple self-signed certificate.

This:

I can connect succesfully on my local machine (from webpage https://localhost:8080/index.html with a websocket client)

looks suspicious. Browsers should not accept such certificates by default. Does it work from some other browser or from a fresh browser profile?

Or what do you mean by "a websocket client"?

@coderofsalvation
Copy link
Author

apoligies, more info below:

shellscript is also testable by entering 'k' at https://xrsh.isvery.ninja/src/index.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vi @coderofsalvation