Problem with firefox and easy-rsa root certificate not working

I am settings up a CA for my son’s home network using easy-rsa.

I have create the CA and added to the fedora trust store in /etc/pki,
then generated a server certificate and setup httpd to use it.

When I use curl to access the server everything works.

I added the root CA to firefox in Settings/Certificate Manager/Authorities.
Clicking the “This certificate can identify web sites”.

But I cannot get firefox to work. It shows this:

Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to ozyserver.home. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
What can you do about it?
The issue is most likely with the web site, and there is nothing you can do to resolve it. You can notify the web site’s administrator about the problem.

This is the root CA (trimmed out the modulas):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1f:2d:9e:5c:6a:76:54:95:db:27:37:50:a8:45:fe:fa:03:9f:93:08
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=ozynet.home
        Validity
            Not Before: Aug 19 10:11:33 2024 GMT
            Not After : Aug 17 10:11:33 2034 GMT
        Subject: CN=ozynet.home
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Key Identifier: 
                85:80:6D:6E:1A:F3:CE:7E:5D:98:CC:2A:3E:7B:01:5F:6A:1C:F3:40
            X509v3 Authority Key Identifier: 
                keyid:85:80:6D:6E:1A:F3:CE:7E:5D:98:CC:2A:3E:7B:01:5F:6A:1C:F3:40
                DirName:/CN=ozynet.home
                serial:1F:2D:9E:5C:6A:76:54:95:DB:27:37:50:A8:45:FE:FA:03:9F:93:08
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

And this is the server certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b0:3a:1f:65:7f:48:1e:e6:4d:b6:2f:02:6e:da:51:2f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=ozynet.home
        Validity
            Not Before: Aug 19 10:11:48 2024 GMT
            Not After : Aug 17 10:11:48 2034 GMT
        Subject: CN=ozyserver.home
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                34:88:37:11:0E:A5:52:2D:22:7B:76:2D:F0:93:E9:29:72:28:19:60
            X509v3 Authority Key Identifier: 
                keyid:85:80:6D:6E:1A:F3:CE:7E:5D:98:CC:2A:3E:7B:01:5F:6A:1C:F3:40
                DirName:/CN=ozynet.home
                serial:1F:2D:9E:5C:6A:76:54:95:DB:27:37:50:A8:45:FE:FA:03:9F:93:08
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Is this not the typical http to https forwarding error?

HTTPS-Only Mode

HTTPS provides a secure, encrypted connection between Firefox and the websites you visit. Most websites support HTTPS, and if HTTPS-Only Mode is enabled, then Firefox will upgrade all connections to HTTPS.
Learn more
Enable HTTPS-Only Mode in all windows
Enable HTTPS-Only Mode in private windows only
Don’t enable HTTPS-Only Mode

If you want to test http, you will have to change the option in the Firefox settings (see HTTPS-Only Mode).

If you just want to use https you have to forward Port 80 by default to port 443 on the webserver/router (check port forwarding 80 443 in DDG/google).

I am setting up https access. I’m using https://ozyserver.home as the URL.

Firefox for some reason is not happy to validate the server’s certificate, yet curl is happy with the same certificates.

This is what it says when I click on the Advanced… button:

Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for ozyserver.home. Error code: [SSL_ERROR_BAD_CERT_DOMAIN]

Edit: the Subject: CN and the URL match.

2 Likes

Oh it wants Subject Alt name!
That makes sense I will look into patching easy-rsa to add that field and test.

No need for patching, it is already supported:

It’s working with altname in the certificate.

For the record here is the command line that I used showing the required placement of the --san option:

/usr/share/easy-rsa/3/easyrsa --san=DNS:ozyserver.home sign-req server ozyserver.home
1 Like