• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

NET:ERR_CERT_AUTHORITY_INVALID

Recommended Posts

xendrome    5,332

Yeah so you need your proxy cert installed on that VM so it's trusted.

Share this post


Link to post
Share on other sites
+BudMan    3,425
17 hours ago, SoCalRox said:

Common Name (CN) ZZZwebproxy.ZZZ.com

That clearly is someone else - but you didn't actually look at the ISSUER!

 

Here - what is the details of the CA that issued that cert.

issuer.thumb.png.0aac5eab9b44600348400d794b8e42f9.png

 

 

But yes as been stating from the get go.. You have some proxy upstream doing MITM on your https traffic and creating their own certs for where your trying to go... So yeah your browser doing what it should be doing is telling you hey something freaking wrong here!!!  The CA that signed this cert is not a trusted CA..

 

Or it could just be the page is BLOCKED and your being redirected to the proxy block page to tell you why and since your going via https you will not view it since stuff doesn't match and you don't trust the CA, etc.  Really thought went over this in great detail at the very beginning of this thread.

 

If you want let your browser trust that CA, then you need to set that up... Get with your IT guys..  If you do not know how to do that, or don't have access to the CA cert.  You could prob pull it from another device/browser that is trusting it.

 

You can go to some https site, look to see who the ca is, that you trust - go to your authoritaties and find that CA cert and export it, then import into your other machines browser..

export.thumb.png.6da1b555f803fd6caba9a7e38f253289.png

 

I have some different CA's that I created and trust on my home network, very creatively named "home" hehe  So I could export that and use that in another browser so it will then trust all certs created by the home-ca CA.

 

Example - here is local site running unifi controller software, see how nice pretty green icon on the https url, browser trusts this CA..

trustedCA.thumb.png.06c0a74ed9c459fbe1fa4a9db7a35795.png

 

Share this post


Link to post
Share on other sites
SoCalRox    246

Hmmm... I wonder where my reply from yesterday went...???

 

Having recovered from last week's medical misadventures, I sifted through the thread again, talked to one of our desktop guys, and he updated my certs and sent me the certs package that is used on Linux servers. Bingo- we are in business. I didn't know I needed to do a couple of installs in my Linux machine when I built it. 

 

Many thanks- without your input, I would have looked entirely in the wrong direction(which I did before asking!)

  • Like 3

Share this post


Link to post
Share on other sites
Daedroth    489
Posted (edited)

Edit: Nevermind, didn't realise there was another page! Glad you got it sorted.

  • Like 1

Share this post


Link to post
Share on other sites
+BudMan    3,425
On 5/21/2019 at 8:44 AM, SoCalRox said:

Bingo- we are in business.

If being behind a MITM proxy that breaks end to end https security is your "business" than yeah your good ;)

 

Its one thing to get sent to a https "your blocked" page that you need to trust the CA on, its another to have the proxy in the middle for your what suppose to be secured end to end connection to server.domain.tld

 

If your ok with the proxy being able to view every password you send via https, say your bank login, your login to your health records, etc. etc..  I wouldn't do any sort of anything of personal nature from such a machine..

Share this post


Link to post
Share on other sites
goretsky    1,017

Hello,

 

It's not unusual for a corporate environment, though, where SSL interception is used to check for malware, data leakage prevention, etc.

Regards,

Aryeh Goretsky

 

On 5/26/2019 at 2:00 PM, BudMan said:

If being behind a MITM proxy that breaks end to end https security is your "business" than yeah your good ;)

 

Its one thing to get sent to a https "your blocked" page that you need to trust the CA on, its another to have the proxy in the middle for your what suppose to be secured end to end connection to server.domain.tld

 

If your ok with the proxy being able to view every password you send via https, say your bank login, your login to your health records, etc. etc..  I wouldn't do any sort of anything of personal nature from such a machine..

 

  • Like 1

Share this post


Link to post
Share on other sites
+BudMan    3,425

And it is whole can of worms that the corp has to be ready to open that is for sure!!

 

All of the major players software for content filtering also allow for marking domains NOT to do it on..  Say your bank for example.

Share this post


Link to post
Share on other sites
SoCalRox    246

I do not us this machine for personal (i.e. banking) stuff. I learned LONG ago not to trust corporate systems. That said, we not only have the things Goretsky pointed out, but as a part of a very large insurance company, we also have to be concerned about HIPAA violations- in fact, I think the company would be less concerned about a nasty virus than HIPAA violations. (That, of course, is a relative thing.) Besides, it isn't a matter of whether I am okay with it- I cannot control what the lay of the LAN is, nor can my boss, his boss, or her boss. It's a completely different internal company handling it- outside the reach of our CIO, since the CTO would handle that part. It's quite far out of my reach to make ANY kind of change, or even affect such change. Such is the corporate world, especially health care insurance.

 

Share this post


Link to post
Share on other sites
+BudMan    3,425
4 hours ago, SoCalRox said:

than HIPAA violations

Well to be honest them breaking the end to end encryption pretty much breaks HIPAA pretty sure... So they better be sure no HIPAA info isn't flowing over anything they are doing MITM on..

 

"HIPAA encryption requirements mandate that covered entities and business associated utilize end-t0-end encryption (E2EE). End-to-end encryption is a means of transferred encrypted data such that the only the sender and intended recipient can view or access that data."

 

Which is clearly not the case when you have a proxy in the middle handing you made up BS certs that they created on the fly for the domain, that you trust.  And therefore anyone that has access to that proxy has the ability to view the unencrypted traffic flow of data.

 

This is why doing such a thing is such a "can of worms"!!!

 

You can content filter with a proxy without having to break the end to end https connection... You just have to use an explicit proxy, and can only content filter on the domainname... So you could prevent user from say going to p0rn.com but you could stop them from going to allowed.com/bad while with just http you could allow.com/safe and block allow.com/bad..

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.