View previous topic :: View next topic |
Author |
Message |
davydm n00b
Joined: 06 Jan 2017 Posts: 73
|
Posted: Thu Nov 01, 2018 6:36 pm Post subject: how to trust self-signed cert for localhost? |
|
|
I'm working with dotnet core and identityserver4 and the latter is barfing on my Gentoo machine because it's unable to verify certificates for itself.
On windows, I've just downloaded the certificate and added to "Trusted People" -- and all is well: my site works like a charm. I'm not sure of the exact equivalent on Gentoo though.
I see this howto: https://www.humankode.com/asp-net-core/develop-locally-with-https-self-signed-certificates-and-asp-net-core but I'm stuck right out of the gate: my system has no certutil command and I'm not sure what to install to get it -- eix certutil draws a blank, for example. I do have openssl installed as well as nss, but still no certutil.
1. how do I get certutil (ie, what package provides it?)
2. if anyone has the time, are the steps outlined in the above link viable for a Gentoo box? |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10589 Location: Somewhere over Atlanta, Georgia
|
Posted: Thu Nov 01, 2018 6:54 pm Post subject: |
|
|
To get your system to trust a new root, you need to copy the certificate (in pem format) to /usr/local/share/ca-certificates and then run update-ca-certificates.
There's no need for certutil as far as I can see but it's provided by net-libs/gnutls. To do this type of search on your own, you can emerge app-portage/pfl or else use the web site at http://www.portagefilelist.de/.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
davydm n00b
Joined: 06 Jan 2017 Posts: 73
|
Posted: Thu Nov 01, 2018 8:06 pm Post subject: |
|
|
John R. Graham wrote: | To get your system to trust a new root, you need to copy the certificate (in pem format) to /usr/local/share/ca-certificates and then run update-ca-certificates.
There's no need for certutil as far as I can see but it's provided by net-libs/gnutls. To do this type of search on your own, you can emerge app-portage/pfl or else use the web site at http://www.portagefilelist.de/.
- John |
Thanks for the help (: that's the first route I tried, after reading https://wiki.gentoo.org/wiki/Certificates#Adding_trusted_certificates, but it didn't seem to work: browsers (Chrome and Firefox) still view the site as insecure (I have to manually override them), and the server-side code which attempts to make an ssl connection to the openid-configuration endpoint still breaks, complaining about certificates.
I have done the following:
Code: |
echo -n | openssl s_client -connect localhost:5001 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/sigma-localhost.crt
update-ca-certificates
|
the first command produces a file starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE----- with base64-encoded stuff in between -- I assume this is the correct result for a .crt? Please bear with me: I think I have some fairly huge gaps in my understanding of certificates.
the last command produces the result:
Code: |
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
|
and I see a newly-created file: /etc/ssl/certs/sigma-localhost.pem. I assume I'm doing something wrong though, because browsers and the app itself don't seem to change behavior.
Also, if I remove /usr/local/share/ca-certificates/sigma-localhost.crt and re-run update-ca-certificates, I notice that /etc/ssl/certificates/sigma-localhost.pem is _not_ removed. So I assume there's a better way to uninstall a certificate?
I really appreciate your help (: |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|