Subj : Re: Chromium and self-signed certificates To : bp@www.zefox.net From : Richard Kettlewell Date : Wed Aug 14 2024 15:27:46 writes: > I'm trying to get chromium under RasPiOS to open an > https connection to a private webserver that's using > a self-signed certificate. Apache starts up without > reporting any errors, chromium opens the page but > reports only an http connection. All I'm aiming for > at this point is encryption, not authentication. > > Looking at the page that opens and examining the > certificate reports only one thing that looks like > it might be an error. Under Certificate Basic Constraints > the field value contains: > > Critical > Is a Certification Authority > Maximum number of intermediate CAs: unlimited > > Anybody got a link to a good description of how to > troubleshoot this sort of problem? For example, where > does chromium put its error logs? On the one hand that’s just a description of something it found in the certificate. On the other hand it’s the kind of thing that browsers don’t like so it’s a reasonable candidate for your first problem. Normally the error page when you try to visit an ill-configured https site can be persuaded to give you some kind of error indicator - you should check that before assuming that the unlimited path length is really the (only) issue. If it is the problem: pathLenConstraint is documented here: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9 If that is indeed the issue then you need to go back to where the self-signed certificate was generated and regenerate it with a pathLenConstraint. How you do that depends on how you generated it. The bigger picture: No modern web browser is likely to accept a self-signed certificate without complaint (although the degree of moaning may vary), so getting past this issue may not improve matters as much as you hope. Personally I use LetsEncrypt even for purely ‘internal’ certificates; it is a lot less painful than either self-signed certificates (which means tedious browser warnings) or running my own private CA (which means deploying the root to all the clients on my network, and fitting in with browser requirements, which can be a moving target). -- https://www.greenend.org.uk/rjk/ --- SoupGate-Win32 v1.05 * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3) .