error trying to connect: invalid peer certificate: UnknownIssuer

[chouaibhm]

[error trying to connect: invalid peer certificate: UnknownIssuer](warning: error sending request for url (https://domain.com/): error trying to connect: invalid peer certificate: UnknownIssuer)

[pwnwriter]

Hey @chouaibhm,

Can you be more specific to your url, your chromium browser binary trying to run with? And, is it happening the same for other urls as well?

[chouaibhm]

Hey @pwnwriter here are my chrome version Google Chrome 117.0.5938.88 , and sorry i cannot provide the URL and yes it's for all the domains and from my understand the problem comes from the Tool do not Allow insecure server connections when using SSL. could you please add an option for example : -k, --insecure Allow insecure server connections when using SSL

[ssddOnTop]

@chouaibhm You might be using some proxy. I think it is the website's server which do not entertain any insecure/http requests and just returns code 301 and tries to upgrade connection to https (which is handled by browser on their side before taking screenshot)

Looks like you are probably trying to perform some MITM, for that you should add the middle certificate to your PKI (such as Keyring in GNOME and Keychain in MacOS)

From my understanding this issue is probably not related to haylxon at all.

[Azathothas]

@ssddOnTop @pwnwriter A browser may consider a certificate to be invalid for a multitude of other reasons than simple MITM or Failed Connection Upgrades.

See how gowitness implements it: InsecureSkipVerify https://github.com/sensepost/gowitness/blob/fa0246e688accd8a4dbc7d49b67fc3cd0628fd8a/chrome/chrome.go#L103

If running binary directly, simply passing --ignore-certificate-errors will do the same.

I am pretty sure you can do something similar at: BrowserConfig https://github.com/pwnwriter/haylxon/blob/4e7dffae7faed2ac02a9c5318044c142d630c37d/src/cli/screenshot.rs#L39

A brief look at other implementations

• Chrome DevTools https://chromedevtools.github.io/devtools-protocol/tot/Security/#method-setIgnoreCertificateErrors
• curl --insecure | -k
• wget --no-check-certificate

Security:

• While, yes this can lead to things like MITM etc, but ask yourself, what kind of tool haylxon is.

  • Is it a TLS Verifier, does it handle auth/session/cookies that may be compromised because of this?
  • Or is it a screenshooting tool, and that's what it should do? Because in my testing of real world stes, hxn currently fails ~ 50-60% of the time.

See Also:

• https://aboutssl.org/quick-steps-fix-google-chrome-ssl-certificate-errors/

[pwnwriter]

I'm reopening this issue, i'll look into it , Thanks for raising this <3

[Azathothas]

You can easily test/compare using:

curl -qfsSL "https://raw.githubusercontent.com/Azathothas/CertStream-Domains/main/Data/np_ccTLDs/certstream_domains_np_all_24h_httpx.txt" | awk '{print $1}' | grep -i 'http' | sort -u | hxn -b "$(which google-chrome)" --stdin