Solved Apache/SSL setup not working with Firefox

henninb

henninb

I am working on setting up SSL on apache24 web server on my local network with a self signed certificate.
I am able to confirm it is working with curl and openssl (see the details below), however I am not able to get it working with firefox.

I imported my self signed cert to firefox, however when I try to access the site "https://fbsd" it results in an error SEC_ERROR_UNKNOWN_ISSUER.

fbsd uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: SEC_ERROR_UNKNOWN_ISSUER

I am not sure how I verify my FQDN is "fbsd", as I have set my cert CN as "fbsd".
I believe that my FQDN is setup correctly as my /etc/rc.conf is set correctly with hostname="fbsd" and I have my /etc/hosts setup with fsbsd with an IP address.

Please let me know if you see anything I have done incorrectly. Thanks!

OS versison: 64 bit FreeBSD 11.1
Browser: 55.0.3 64 bit (installed on fbsd server)
Local Server name: fbsd

Other changes: I have manually added my self signed cert to the following file /usr/local/share/certs/ca-root-nss.crt.
Code: 
openssl s_client -connect fbsd:443 -CAfile /usr/local/share/certs/ca-root-nss.crt
...
    Start Time: 1504313750
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

> curl [URL]https://fbsd[/URL]
<html><body><h1>It works!</h1></body></html>
 
Last edited by a moderator:
Why don't you try creating a self-signed CA and issuing the WWW certificate from that? How exactly did you create the certificate? Did you use the serverAuth EKU? This is how I created my web server certificate:

This is an extension in openssl.cnf I use to quickly create server certificates:

Code: 
[ san_cert ]

basicConstraints    = CA:FALSE
nsRevocationUrl     = https://XXXXXXX.XXX/otCA.crl
subjectAltName      = ${ENV::SAN}
extendedKeyUsage    = serverAuth

Note the extendedKeyUsage.

Here is how you issue a CA cert:

openssl req -new -newkey rsa:2048 -sha256 -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config ../openssl.cnf

You'll need to configure openssl.cnf to use your new CA. Try this guide: http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php

These are the commands I use to issue the server cert. Note the SAN variable. It is a comma separated list. Any domain you want to be able to access your web server from should be in the list. For example if your hostname is fbsd and your FQDN is fbsd.home:

openssl req -new -newkey rsa:2048 -sha256 -nodes -out fbsd-req.pem -keyout private/fbsd.pem -config ../openssl.cnf

export SAN=DNS:fbsd,DNS:fbsd.home
openssl ca -config /etc/ssl/openssl.cnf -extensions san_cert -md sha256 -out certs/fbsd.pem -infiles reqs/fbsd-req.pem
 
I was able to follow your instructions above, I was then able to get the certificate to work on firefox on my local machine as well as other devices on my LAN. I really appreciate your time.
 
You must log in or register to reply here.
Back
Top