No internet connection
  1. Home
  2. Technical Support

certificate error after importing ca cert into system store on MacOS Big Sur

By sizz0p m0dem @sizz0p2021-05-13 23:44:45.621Z

Hi, I just assembled my kit and the device is up and working great. Very cool.

The only issue I have is that even after importing the cert into my store/keychain, chrome still doesn't like the certificate. I can't click through in chrome and in safari, but i can in firefox.

If i dig into the cert, I can see that the ca cert is accepted at the top level, but then below the root cert I see this:

Certificate is not standards compliant. Have you seen this before? Is it possible it was concatted incorrectly or something went awry? It's been a while since I used any self-signed certs, but I don't think this is how MacOS should behave...I could be wrong though. Thanks.

Solved in post #2, click to view
  • 7 replies
  1. Michael Lynch @michael2021-05-14 19:17:11.383Z

    Hmm, nobody has reported this before. I unfortunately don't have a Mac handy to test.

    Is there any way to find out what it doesn't like about the certificate?

    If you're familiar with cert utilities, you can try creating a new CA and TLS key. The locations are:

    • CA key: /etc/ssl/private/tinypilot-ca.key
    • CA cert: /etc/ssl/certs/tinypilot-ca.crt
    • TLS key: /etc/ssl/private/tinypilot-nginx.key
    • TLS cert: /etc/ssl/certs/tinypilot-nginx.crt

    Note that if you generate your own CA and keys, If you do this, you'll also want to add tinypilot_manage_tls_keys: no to /home/tinypilot/settings.yml, otherwise TinyPilot will try to overwrite your keys next time you update.

    You can also force TinyPilot to regenerate the CA and TLS keys if you delete the files and then run sudo /opt/tinypilot-privileged/update, but I think odds of that fixing anything are low.

    I can't click through in chrome and in safari, but i can in firefox.

    I'm not sure how much this helps, but you can bypass the TLS warning in chrome by typing thisisunsafe while the browser has focus. It sounds ridiculous, but it's real.

    ReplySolution
    1. S
      In reply tosizz0p:
      sizz0p m0dem @sizz0p2021-05-14 19:40:36.844Z

      Thanks. I'll fire up a Windows VM and see if it is acting the same. If so, I'll try minting everything anew. I'll let you know regardless what I find. So far I just have the "not standards compliant" error after importing to system store and restarting browser etc. My Android phone with Chrome also is the same.

      I don't know what would make me special...I didn't install anything that would have conflicted with the initialization/first-run routine. My Macs and phone (have chrome in common) were both unhappy with the self-signed cert from the getgo.

      That's a cool chrome trick! haha I'll have to give that a shot. I'll see what I can find...

      1. S
        In reply tosizz0p:
        sizz0p m0dem @sizz0p2021-05-14 20:37:22.743Z

        Ahh, this is a case of support rule #1: users are fibbers, even when they don't intended to lie.

        I blew away the cert in my keychain and imported it again. I'm not sure what was different this time (the only thing that makes sense to me right now is that when I was selecting "always trust" it wasn't persisting or some freak occurrence happened with the import), but now everything is working as one would expect!

        I'm not sure what I did to goof-up the initial cert import, but everything probably stemmed from that. Thanks again for all of your help!

        1. Progress
        2. S
          sizz0p m0dem @sizz0p2021-05-14 20:20:08.482Z

          Well, it works as expected in Windows and it's also working on my Android phone - my recollection of my phone was wrong. So I guess this is an issue with how Big Sur handles self-signed certificates, rather than any type of issue with the certs. Thanks for your help!

          1. Michael Lynch @michael2021-05-14 20:23:17.155Zreplies tosizz0p:

            Oh, to clarify, TinyPilot's TLS certificate is not self-signed. It's CA-signed, and the CA is self-signed, but all root level CAs are self-signed.

            I'd like to try tog et this fixed for you. If you find any way of getting Mac to share more information about what it finds invalid about the CA cert, I can make changes to TinyPilot's CA generation process.

            1. Michael Lynch @michael2021-05-14 20:38:10.563Zreplies tomichael:

              Oh, that's great! I'm glad to hear it's all working now.

              1. S
                sizz0p m0dem @sizz0p2021-05-14 23:47:35.371Zreplies tomichael:

                For the curious or bored: I am fairly certain what resolved this for me was that after i had imported the cert into the system store, I noticed something made another copy of the cert in my login chain. (this is in keychain manager)

                When I set the copy in the login chain to also "always trusted" and authenticated to save the changes, I think that chrome would then accept the cert. HTH YMMV