CODEWITHSUNDEEP
linuxapacheopenssl
b4rt3kk
b4rt3kk

Reputation: 1559

My ssl certificate is not trusted

I've made a certificate at my server using this command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

and configured everything correctly, cuz my site is avaiable when type https except http. But however there is a problem. My certificate is not trusted.

Firefox prompts:

sec_error_untrusted_issuer

And Chrome:

NET::ERR_CERT_AUTHORITY_INVALID

Is there a way to make my certificate trusted? So the error wouldn't occur?

Of coz I can accept the risk and get forwarded to the site but that wouldn't looks good for people who will visit my site via https.

Upvotes: 12

Views: 34194

Answers (2)

jeffmcneill
jeffmcneill

Reputation: 2260

The certificate authority (the one who issues the certificate) needs to be trusted by the browser. Self-signed certificates are not trusted by default. Therefore the certificate needs to be manually accepted by the user, which is not something most will do, and in Chrome it is strangely very difficult.

For admin-areas and only dealing with pro users, this is not a problem, but for the general public, this cannot be expected.

If you have your own IP address, this is not difficult, as places like startssl have free certs, and registrars like gandi.net provide 1 year free cert as well.

If you have a shared IP address with others, then there are several clients which won't be able to navigate effectively (since there is only one SSL listener on an IP). Windows XP (all browsers), Android 2.x, and Blackberry 7.x do not support an extension to SSL negotiation which includes the domain name.

Note - It's now August 2017 and many fewer devides do not support SNI, as well as there is the free (and fairly easy to use) LetsEncrypt SSL certificates.

Upvotes: 3

mattm
mattm

Reputation: 5949

Firefox: Navigate to https page. At the bottom there is an option for "I understand the risks." Enlarge this section and "Add Exception".

Chrome: This is a little harder. You have to save the certificate presented by the webserver on your file system, then import the certificate into Chrome. Settings -> Advanced Settings -> HTTPS/SSL -> Manage Certficiates -> Servers -> Import.

If you want external people to be able to use your site, you need to get your certificate signed by a certificate authority. Then you use this signed certificate in your web server.

Upvotes: 11

Related Questions