• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

NET:ERR_CERT_AUTHORITY_INVALID

Recommended Posts

SoCalRox    229

Brand new, freshly created Xubuntu 19.04 VMWare VM on Windows 10. First thing I do is install Opera Dev but any time I try to search, whether Google, Bing, or DuckDuckGo, I get this error and cannot proceed. (This also happens in Firefox, but I don't use Firefox.) I've tried importing a number of .CRT files but it is to no avail. Since Firefox shows the same behavior, I am thinking it is at the OS, and not the browser, level.

 

Any idea what is happening? Host is Windows 10, and corporate peeps have it tied down with Symantec Endpoint Security. Some sites come up fine, some do not.

 

Thanks...

Share this post


Link to post
Share on other sites
shockz    5,221
Posted (edited)

Is your clock, date set the correct time and time zone?

  • Like 1

Share this post


Link to post
Share on other sites
SoCalRox    229

First thing I checked. It is indeed. Being the host is tied down, I couldn't modify it anyway. LOL! But yes, it is correct. I double checked that right away. NTP is installed and operational, correct time zone.

Share this post


Link to post
Share on other sites
SoCalRox    229

By the way, the browser DOES work- I can go to many other sites, whether HTTPS or not. Just A few- the browser says the site(s) use HSTS and that's why I can't get there.

Share this post


Link to post
Share on other sites
+BudMan    3,365

You going through a proxy that does https interception?  Or some sort of anti virus software doing the same thing.

Share this post


Link to post
Share on other sites
SoCalRox    229

That's a great suggestion- I AM sent through a proxy. 

 

However, adding the proxy made no difference. It is still not willing to talk with Google/Bing/DuckDuckGo and a few others. It seems to revolve around the HSTS requirement on those sites.

Share this post


Link to post
Share on other sites
+BudMan    3,365

Yeah you can not hit them via http if they are hsts..

 

If your going through a proxy your going to get that sort of error all the time..

 

This has ZERO to do with ubuntu 19.04 or VM or Opera.. View the damn cert you get presented.. When you get the error.

 

Here is work proxy cert for example when try to go to something that is blocked via https

 

workproxy.thumb.png.f1ce5e9c9dcdb68c8f8e2a06777dea07.png

 

Yeah NO ###### that is not binnys.com cert ;)

  • Like 2

Share this post


Link to post
Share on other sites
SoCalRox    229

Thanks, BudMan. It doesn't offer me a chance to see the certificate being offered. I'll keep looking as time permits and try to find it.

Share this post


Link to post
Share on other sites
+BudMan    3,365

what do you mean it doesn't.. What kind of ###### browser is that?  Just click the advanced button on the error or more details..  Here let me install opera dev you say..

 

Ok grabbed opera dev

 

Here - click the not secure icon

clickhere.thumb.png.d01a119634c321e916022ed8ed6f7c01.png

 

Then you can view the details... Here is good test site for stuff that might go wrong on a website using ssl

https://badssl.com/

 

Share this post


Link to post
Share on other sites
SoCalRox    229

Thanks. I had a D'OH Homer Simpson moment. 

 

Opera is my current browser of choice, although I have a number of others installed. 

 

I'm comparing them - Opera Windows versus Opera Linux- and they look nothing alike, so I am having to figure out what one version has versus the other. After looking at several, it seems that the ones which fail are issued by out corporate certificate server, but in Windows, it is issued by Google or other certificate stores.

 

I'm not quite sure why the difference or the blocking, but I feel like the solution should be there, I just don't know what I am looking at to turn it into action to solve my problem. This is not my area of expertise at all, and the networking guys are swamped by a corporate project to revise the IP structure and tell me they can get to it in a few weeks. Meanwhile, my project is due Monday. I wonder if I download those .crt files for the same issuer that is in the Windows certificates, maybe it will work?

 

 

  • Like 1

Share this post


Link to post
Share on other sites
SoCalRox    229

Well, that theory was a bust- I found a couple of the authorities for the failed sites included already in the problem browser. Curses!! Foiled again!!

Share this post


Link to post
Share on other sites
xendrome    5,262

Could it be that that cert for the proxy needs to be added in manually to your trusted certs container on the client, and it is being pushed manually from your GPO for domain joined workstations?

Share this post


Link to post
Share on other sites
+BudMan    3,365

Yeah if your behind a proxy, and its going to be doing mitm and doing certs for sites on the fly.. Then your browser will have to trust that CA... That is really bad juju doing such stuff... You have to make sure you don't do that for bank or health related sites... You run into a huge personal info issue when doing that...

 

I would suggest you have your network guys not do that!  It really is a whole can of worms that can get people in a lot of ######..

 

Thats completely different from just browser complaining about the error page since the url you went too doesn't match the cert you got redirected too, etc.

 

So which is it - your not trusting the proxy error page cert, or they doing mitm on your https sites your suppose to be allowed to go too..

 

Can you get to google or not? What is the details of the cert.

Share this post


Link to post
Share on other sites
Jason S.    1,463

i recently ran into a problem importing an SSL cert from 2017. it's still valid, but is missing the Common Name. This wasnt required by browsers in 2017, but is now. Chrome and FF require the CN or you'll see the red X. I had to regenerate the cert w/ the provided CN.

Share this post


Link to post
Share on other sites
+BudMan    3,365

I think you mean it was missing the SAN with the name... That has been the big change in the last couple of years certs need both the common name and a san..

 

His proxy is either doing mitm on him, or sending to an error page (he is blocked or something) via https..

Share this post


Link to post
Share on other sites
Nick H.    9,397

Bad image on the machine? We've had a few times where it screws up.

Share this post


Link to post
Share on other sites
+BudMan    3,365
18 hours ago, SoCalRox said:

issued by out corporate certificate server

And which domain is this exactly?  If your seeing publicdomain.tld issue by one of your servers.. Then yes they are doing mitm on you and issuing certs for the domains your going to via their proxy.

 

If in windows you don't see this - then they are not going through proxy?

 

The only way your going to get rid of the errors on a mitm is for your browser to TRUST the CA signing the certs being used..  If some sites are showing fine and showing normal issuing CAs for the sites - then it could just be your only seeing the issue on blocked sites where your redirect to the error page..  Maybe your box is not authed to the proxy while windows machines are - so your getting a different policy on which sites are blocked and which arn't sort of thing..

 

Post of the actual details of what domain your trying to go to - one that works (are there any that are https?) and one that doesn't etc..

Share this post


Link to post
Share on other sites
SoCalRox    229

Honestly? This is a HUGE organization, with tons of rules in place to protect data. In all sincerity, going to my network guys and trying to find where this goes bad would be like going to Samsung and asking who stocks the screws. They don't even know who controls certain segments of things; they just know what they can and can affect and who is one or two layers about them. I've never worked for a company with so many insular layers. I have a workaround that, while not very elegant, lets me get the job accomplished in a sloppy but effective way. I think I'm better off just doing the searches on the host section and sending the links back in a text file to pick up in Linux. Last time I worked on this stuff I had no issues like this, but after they revised the IP addressing it got wonky. This is just a small backwater owned company of the main company and they aren't really cooperative- as they say, water flows downhill.

Thanks for all the help and suggestions. I am going to go through them again and see if I can make it work, but I would feel horrendously guilty if anyone devoted more time and thought to this. 

Share this post


Link to post
Share on other sites
+BudMan    3,365

You need to figure out exactly what the problem is!!!  Pick 1 site that is not working... www.google.com for example..

 

Where you get this error... NOW what cert is being presented to you that the browser is complaining about and says it doesn't trust?  Who issued it?

Share this post


Link to post
Share on other sites
SoCalRox    229
On 5/9/2019 at 2:25 PM, BudMan said:

You need to figure out exactly what the problem is!!!  Pick 1 site that is not working... www.google.com for example..

 

Where you get this error... NOW what cert is being presented to you that the browser is complaining about and says it doesn't trust?  Who issued it?

Sorry, Budman, that I am late on replying...
Below is the message I get in its entirety:
 

Your connection is not private

This server could not prove that it is www.google.com; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

 

You cannot proceed because the website operator has requested heightened security for this domain.

 

NET::ERR_CERT_AUTHORITY_INVALID

Help me understand

When you connect to a secure website, the server hosting that site presents your browser with something called a "certificate" to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party that your computer trusts. By checking that the address in the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website you intended, and not a third party (such as an attacker on your network).

 

You cannot visit www.google.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Share this post


Link to post
Share on other sites
+BudMan    3,365

And that doesn't tell us who issued it - LOOK at the cert... I gave you pictures how to do that!!

Share this post


Link to post
Share on other sites
Daedroth    482

I work in a school and I see this when users attempt to access the Internet on devices that don't have the filtering service's certificate installed. Without that certificate installed, your browser's default behaviour is think that there is something dodgy intercepting your data between you and the destination. With the certificate installed, your browsers know that the intercepting is by a trusted party.

 

If you don't manage the filtering/proxy, then you need to speak to your IT team to obtain the certificate and install it, or get them to do it.

  • Like 1

Share this post


Link to post
Share on other sites
xendrome    5,262
48 minutes ago, Daedroth said:

I work in a school and I see this when users attempt to access the Internet on devices that don't have the filtering service's certificate installed. Without that certificate installed, your browser's default behaviour is think that there is something dodgy intercepting your data between you and the destination. With the certificate installed, your browsers know that the intercepting is by a trusted party.

 

If you don't manage the filtering/proxy, then you need to speak to your IT team to obtain the certificate and install it, or get them to do it.

Yeah I said this may on May 8th, that's likely the issue.

Share this post


Link to post
Share on other sites
+BudMan    3,365

Yeah said that back on may 7th ;)  @xendrome

 

Been saying that since the thread started - but have yet to get the simple question answered to who issued the cert his browser is seeing..

Share this post


Link to post
Share on other sites
SoCalRox    229
9 hours ago, BudMan said:

And that doesn't tell us who issued it - LOOK at the cert... I gave you pictures how to do that!!

Sorry, bro... Had anesthesia this week and the motor is running slow. Probably picked an especially bad day to respond.

Here it is, edited to cover the company name. As I have said before, we do not have access to the people who can easily make this right as the networking stuff is VEY much hardened, and the only word they seem to have learned is "no." Substitute the "ZZZ" for the big corporate name, and "Subsidiary" for our name.

 

Common Name (CN) *.google.com

Organization (O) Google LLC

Organizational Unit (OU) <Not Part Of Certificate>

Common Name (CN) ZZZwebproxy.ZZZ.com

Organization (O) SubsidiaryIT Web Proxy HTTPS Proxy

Organizational Unit (OU) <Not Part Of Certificate>

Issued On Tuesday, April 30, 2019 at 5:08:26 AM

Expires On Tuesday, July 23, 2019 at 5:02:00 AM

 

 

Comparing it to the host's browser shows the public encryption key differs.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.