HTTPS, Input Validation Error With Domain-CA-Certificate

Hi,

first, thank you very much for this software! Easy to setup, easy to use and still secure.

I also wrote you (using the support-button), but maybe it is better to use the forum (others might have/have had the same problem).

I just can’t get https working and I’m a bit lost about where to look and what to check.

Today, i tried it again, but still no luck. I used the reset-button in the https-section, I created a new key and a new csr, I used the csr with my domain-ca to create a website-certificate, I downloaded the base64-certificate and renamed it to pem, I downloaded the base64-chain (p7b) and converted it with openssl into pem (full chain). I tried to upload my pe-certificate: globaleaks gives me input-validation error.

Can someone help me with that?

PS: this is an internal site for internal use only.

PPS: there is the command I used to convert p7b into pem (with full chain): openssl pkcs7 -print_certs -in certificate.p7b -out certificate-chain.pem

Another attempt: I created a new webserver-certificate from scratch in my domain-ca-website. I exported this certificate as pfx-file, p7b-file and base64-cer-file. I extracted the private key using: openssl pkcs12 -in globaleaks.pfx -nocerts -out globaleaks-enc.key. I tried to upload this encrypted key, but it didn’t work. So I decrypted the key using: openssl rsa -in globaleaks-enc.key -out globaleaks-decrypted.key. THIS file I could upload. I tried to upload the base64-cer-file, but again I got the input-validation error. i opened the cer-file and saw, that it didn’t start with “----BEGIN”, but with “Bag Attributes”. I deleted those lines, so that the file starts with “-----BEGIN CERTIFICATE-----”. Still, I can’t upload this certificate, there is always the input-validation error.

What else could I try? Since it is an internal site, I cannot use the lets-encrypt-method.

I figured it out and solved the problem. First, I checked the log-file (/var/globaleaks/log/globaleaks.log). It said “Unable to verify validity of certificate”.

1. proxy
Since our globaleaks is an internal webseite and the server is in the same subnet as our certificate-servers, I made sure, no proxy is used (sudo vi /etc/environment, no_proxy="localhost,127.0.0.1,<my-root-ca>,<my-issuing-ca>"). I also deactivated the proxy for wget, though I’m not sure, if this was necessary (sudo vi /etc/wgetrc, use_proxy = off). To be sure, I also added my certifcate-servers to the local hosts-file (sudo vi /etc/hosts), which I guess wasn’t necessary either.

2. checking root- and issuing-ca
I also checked, if my certificate-servers were working properly.

3. Importing root- and issuing-ca-certificates
I copied the certificates of my certifcate-servers on my globaleaks-server (in /usr/share/ca-certificates/) and imported them manually (sudo dpkg-reconfigure ca-certificates).

4. setting ssl-security
I remembered from former ubuntu-servers, that they sometimes had problems with my domain-certificates. Although my certificates were/are sha1, linux told me that they were md5 (weak) and refused to accept them. So I adjusted the ssl-configuration (sudo vi /etc/ssl/openssl.cnf)
First line:
openssl_conf = default_conf

At the end:
[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=0

After a reboot, I was able to upload the domain-certificate, which also enabled https.

The first three steps were probably unnecessary.

Hope, this helps some other users.

Again, thanks for this software!

Cheers.