No internet connection
  1. Home
  2. Technical Support

certificate error after importing ca cert into system store on MacOS Big Sur

By sizz0p m0dem @sizz0p
    2021-05-13 23:44:45.621Z

    Hi, I just assembled my kit and the device is up and working great. Very cool.

    The only issue I have is that even after importing the cert into my store/keychain, chrome still doesn't like the certificate. I can't click through in chrome and in safari, but i can in firefox.

    If i dig into the cert, I can see that the ca cert is accepted at the top level, but then below the root cert I see this:

    Certificate is not standards compliant. Have you seen this before? Is it possible it was concatted incorrectly or something went awry? It's been a while since I used any self-signed certs, but I don't think this is how MacOS should behave...I could be wrong though. Thanks.

    Solved in post #2, click to view
    • 7 replies
    1. Hmm, nobody has reported this before. I unfortunately don't have a Mac handy to test.

      Is there any way to find out what it doesn't like about the certificate?

      If you're familiar with cert utilities, you can try creating a new CA and TLS key. The locations are:

      • CA key: /etc/ssl/private/tinypilot-ca.key
      • CA cert: /etc/ssl/certs/tinypilot-ca.crt
      • TLS key: /etc/ssl/private/tinypilot-nginx.key
      • TLS cert: /etc/ssl/certs/tinypilot-nginx.crt

      Note that if you generate your own CA and keys, If you do this, you'll also want to add tinypilot_manage_tls_keys: no to /home/tinypilot/settings.yml, otherwise TinyPilot will try to overwrite your keys next time you update.

      You can also force TinyPilot to regenerate the CA and TLS keys if you delete the files and then run sudo /opt/tinypilot-privileged/update, but I think odds of that fixing anything are low.

      I can't click through in chrome and in safari, but i can in firefox.

      I'm not sure how much this helps, but you can bypass the TLS warning in chrome by typing thisisunsafe while the browser has focus. It sounds ridiculous, but it's real.

      Reply1 LikeSolution
      1. S
        In reply tosizz0p:
        sizz0p m0dem @sizz0p
          2021-05-14 19:40:36.844Z

          Thanks. I'll fire up a Windows VM and see if it is acting the same. If so, I'll try minting everything anew. I'll let you know regardless what I find. So far I just have the "not standards compliant" error after importing to system store and restarting browser etc. My Android phone with Chrome also is the same.

          I don't know what would make me special...I didn't install anything that would have conflicted with the initialization/first-run routine. My Macs and phone (have chrome in common) were both unhappy with the self-signed cert from the getgo.

          That's a cool chrome trick! haha I'll have to give that a shot. I'll see what I can find...

          1. S
            In reply tosizz0p:
            sizz0p m0dem @sizz0p
              2021-05-14 20:37:22.743Z

              Ahh, this is a case of support rule #1: users are fibbers, even when they don't intended to lie.

              I blew away the cert in my keychain and imported it again. I'm not sure what was different this time (the only thing that makes sense to me right now is that when I was selecting "always trust" it wasn't persisting or some freak occurrence happened with the import), but now everything is working as one would expect!

              I'm not sure what I did to goof-up the initial cert import, but everything probably stemmed from that. Thanks again for all of your help!

              1. Progress
              2. S
                sizz0p m0dem @sizz0p
                  2021-05-14 20:20:08.482Z

                  Well, it works as expected in Windows and it's also working on my Android phone - my recollection of my phone was wrong. So I guess this is an issue with how Big Sur handles self-signed certificates, rather than any type of issue with the certs. Thanks for your help!

                  1. Michael Lynch @michael2021-05-14 20:23:17.155Zreplies tosizz0p:

                    Oh, to clarify, TinyPilot's TLS certificate is not self-signed. It's CA-signed, and the CA is self-signed, but all root level CAs are self-signed.

                    I'd like to try tog et this fixed for you. If you find any way of getting Mac to share more information about what it finds invalid about the CA cert, I can make changes to TinyPilot's CA generation process.

                    1. Michael Lynch @michael2021-05-14 20:38:10.563Zreplies tomichael:

                      Oh, that's great! I'm glad to hear it's all working now.

                      1. S
                        sizz0p m0dem @sizz0p
                          2021-05-14 23:47:35.371Zreplies tomichael:

                          For the curious or bored: I am fairly certain what resolved this for me was that after i had imported the cert into the system store, I noticed something made another copy of the cert in my login chain. (this is in keychain manager)

                          When I set the copy in the login chain to also "always trusted" and authenticated to save the changes, I think that chrome would then accept the cert. HTH YMMV