search

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
10.95k stars 1.1k forks source link

Improve certificate issue messaging #14485

Open garrett opened 4 years ago

garrett commented 4 years ago

Our certificate issue page is confusing.

It's the page which displays when:

  1. certificate issues prevent wss:// from working (that is: secure websockets).
    • This is shown mainly with the notorious Safari iOS issue (where mobile Safari does not support the same certificates for websockets as it does for https).
  2. Proxy setup issues
    • Often, this is when someone is running Cockpit insecurely on purpose and then wrapping it behind a Nginx, Caddy, or similar proxy to make all requests over HTTPS
  3. Unintentional proxies
    • Corporate proxies
    • Windows anti-virus software commonly does MitM (man-in-the-middle) attacks by adding their own root CA in Windows certificate storage to scan for malware, and this apparently affects all website certificates as well (so this affects Cockpit).

To solve these issues in Cockpit we need to:

  1. Improve the documentation to reflect these issues and provide some suggestions for solutions. Perhaps on a troubleshooting page. (Needs content written)
  2. Improve our certificate page to have a shorter summary of the issues and solutions, possibly with a link the the extended form. (Needs design)
garrett commented 4 years ago

@elhananjair found the anti-virus issue in #14448 and pointed out that Firefox worked still, even when Edge (Chromium-based) didn't.

Note 1 (Firefox): After a bit of digging around, I found that Firefox has its own certificate store and does not normally use the system-wide Windows certificate store. (There are, of course, settings to override this and use Windows' own cert store too. But it's not enabled by default — and only intended for corporate usage.) So a quick test, under most circumstances, is to see what Firefox does if Edge is having issues like this.

Note 2 (Chrome): Here's how Chrome does it: https://www.chromium.org/Home/chromium-security/root-ca-policy (TL;DR: they apparently have their own cert storage, but also reference the system cert storage.)

elhananjair commented 4 years ago

@garrett in my case I was trying with self signed certificate, is this problem persist on official certifications too?

martinpitt commented 1 year ago

https://cockpit-project.org/faq.html#login has some info about that now, but we don't yet link to it from the failure page.