Solve untrusted self-signed certificate

apache-http-server ssl certificate https

5,403

Solution 1

I had mistyped the domain name and it looked so similar, I didn't notice even after repeated checking.

Solution 2

Your certificate is for dev.hrm-app but your Apache configuration is set to dev.hmr-app

From your Apache configuration file:

ServerName dev.hmr-app

dev.hmr-app uses an invalid security certificate.

The certificate is not trusted because it is self-signed. The certificate is not valid for the name dev.hmr-app.

Be sure to add your self-signed certificate into the Firefox certificate store to resolve self-signed error. The second error is due to your Apache configuration and your certificate being assigned to different domains.

5,403

criminal_chili

Updated on September 18, 2022

Comments

criminal_chili over 1 year

I've created a self-signed certificate for use on my Windows 10 development machine and I've added it to the Trusted Root Certification Authorities/Certificates as advised by How to install an Apache Self Signed Certificate on Windows 10 on YouTube. I can see the certificate has been installed by using certmgr.msc.

When I go to the HTTPS address in Edge (the browser used in the video), I get the following error message by clicking on Details:

The hostname in the website’s security certificate differs from the website you are trying to visit.

Error Code: DLG_FLAGS_SEC_CERT_CN_INVALID

Firefox says:

dev.hmr-app uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate is not valid for the name dev.hmr-app.

Error code: SEC_ERROR_UNKNOWN_ISSUER

and

https://dev.hmr-app/

Peer's Certificate issuer is not recognised.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

[Certificate chain removed]

I get a similar message in all other browsers. While I can manually create an exception for each browser, I'd prefer to have it just work in all of them as if I was browsing a real site.

I've double and triple checked the certificate, and the address is exactly the same as the one I'm using to access the local development site.

The relevant bits of my httpd-vhosts.conf are as follows:

<VirtualHost *:443> ServerName dev.hmr-app ErrorLog "logs/dev.hmr-app-error.log" CustomLog "logs/dev.hmr-app-access.log" common SSLEngine on SSLCertificateFile "C:/server/Apache24/conf/server.crt" SSLCertificateKeyFile "C:/server/Apache24/conf/server.key"

How can I get this to work?
- Ramhound over 6 years
  
  You can trust a self-signed certificate all day won’t stop the browser from complaining if the certificate is invalid for other reasons. Only reason it shouldn’t complain about is the fact it’s self-signed. Why are you not using something like Let’s Encrypt which is trusted by ALL browsers?
- Ramhound over 6 years
  
  “The certificate is not valid for the name dev.hmr-app.” I suspect part of your problem is your creating a certificate for an invalid domain.
- criminal_chili over 6 years
  
  @Ramhound In what way is the domain invalid?
- Ramhound over 6 years
  
  Answer my question first then I will answer that question.
- criminal_chili over 6 years
  
  @Ramhound Why not use Let's Encrypt? Because you only just told me about it. Now answer mine.
- Ramhound over 6 years
  
  I assume you have defined “dev.hmr-app” in your hosts file? Did you use OpenSSL to generate the certificate? What command did you use exactly? Provide a screenshot showing your certificate in Trusted Root within the system certificate store. Firefox doesn’t use the Windows certificate store, so Firefox not trusting your certificate, is to be expected until you add your certificate to it’s certificate store.
- Appleoddity over 6 years
  
  Firefox won’t use the Windows certificate store like mentioned. So you have to manually import it in Firefox. However, assuming all other components are correct, you should be importing the “root” certificate, which is the cert used to sign the cert you created, in to trusted roots which will then cause all sub certificates to be trusted. Or, using a single cert only, then you should import the certificate in to the “Computer” store under the “personal” folder using the certificates snap in of mmc.exe.
- criminal_chili over 6 years
  
  OK, so I needed to decuple check the domain name! Turned out I'd switched "hmr" to "hrm", which looked the same even after the ninth time! I'll leave this question here long enough for you to read this comment, then delete it.
- Ramhound over 6 years
  
  @CJDennis You should self-answer not delete it. Removing perfectly valid questions will eventually lead to a question ban
- criminal_chili over 6 years
  
  @Ramhound It's no longer valid. The assumption I was working under proved to be wrong, just very difficult to detect.
- Ramhound over 6 years
  
  You can delete this question but it’s a valid question, lots of good questions, are simple issues. So don’t be shocked if the community votes to restore it.
Scott - Слава Україні over 6 years

Please don't add "thank you" as an answer. Instead, accept the answer that you found most helpful. - From Review
criminal_chili over 6 years

@Scott What are you talking about "thank you"? I will accept the answer that I found most helpful - mine, since I solved it myself - when the 2 day time limit is up. Please read the comments on the question. Ramhound was not hugely helpful and based his/her answer on one of my comments. They deserve no credit.
Ramhound over 6 years

“Ramhound was not hugely helpful“ You didn’t provide the information I requested. Wasnt given a chance to come to the same conclusion
criminal_chili over 6 years

@Ramhound Nor were you totally unhelpful, but your questions were leading in the wrong direction, as well as being childish: "Answer my question first then I will answer that question."
Ramhound over 6 years

We will have to agree to disagree with regards to that particular method I used.