Hi,
We have internal certificates deployed in our Rocky Linux 8.5 templates. When we try with curl the certificate is valid (see logs below)
But when I go with a browser on the same site certificate is not trusted.
Firefox : SEC_ERROR_UNKNOWN_ISSUER
Chrome: NET::ERR_CERT_AUTHORITY_INVALID
Browsers do not seem to use the CA.
I don’t see them in the CA list of Firefox.
When I try to add them in the trusted CA I don’t have the page to choose for what purpose to trust the CA and I think the import does not happen.
It used to work before reinstall / update of system packages, I don’t know when it started to fail.
If you have anything let me know, thanks
curl -v https://tela0-d1-ap-nextc.xxx.admin/
* Trying xxx.xxx.xxx.Xxx...
* TCP_NODELAY set
* Connected to tela0-d1-ap-nextc.xxx.admin (xxx.xxx.xxx.xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=MC; ST=MONACO; L=MONACO; O=xxx; OU=ADMIN; emailAddress=x.xxxxx@xxx.xx; CN=tela0-d1-ap-nextc.xxx.admin
* start date: Mar 2 15:45:14 2022 GMT
* expire date: Mar 1 15:45:14 2027 GMT
* subjectAltName: host "tela0-d1-ap-nextc.xxx.admin" matched cert's "tela0-d1-ap-nextc.xxx.admin"
* issuer: C=MC; ST=MONACO; L=MONACO; O=xxx; OU=ADMIN; CN=CA-xxx-ADMIN
* SSL certificate verify ok.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/1.1
> Host: tela0-d1-ap-nextc.xxx.admin
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 302 Found
< Server: nginx/1.19.9
< Date: Tue, 12 Apr 2022 14:37:23 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 0
< Connection: keep-alive
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-XSS-Protection: 1; mode=block
< X-Powered-By: PHP/8.0.16
< Set-Cookie: ocklpsxc5591=d0044081a972aadf6f2ab2bddfaa9288; path=/; HttpOnly; SameSite=Lax
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=vIIcoGwJxEcDX3EqlcJjsfeifO%2FO0ZTXe3P%2BFuXI0553YL39pMYKitsdIvbheKrQUhpWQohDlyIWGjQ97h6mTcfjJ8S5VZ%2FIT3KNfZ22kqtoxJQfYJWDtv73qn2Y8ge9; path=/; HttpOnly; SameSite=Lax
< Set-Cookie: ocklpsxc5591=51e1af1a1e2aeef5821d789997d090cd; path=/; HttpOnly; SameSite=Lax
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-SEdYTXcyS3pBVFpIb2hvMFphTUgzMC8wRVYxNFI5ck81K1NWaG5ESUNWbz06VHdUOGhsTEdPUU1pOVZKZkNjNXltenVPUUNrMEY0TDkzdDNSOFJxcVhSTT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Set-Cookie: nc_sameSiteCookielax=true; path=/; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: nc_sameSiteCookiestrict=true; path=/; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Location: http://tela0-d1-ap-nextc.xxx.admin/login
<
* Connection #0 to host tela0-d1-ap-nextc.xxx.admin left intact