HTTPS Setup using self signed cert not working

So I’ve done this on dozens of systems, but this is the first time I’ve tried to setup HTTPS since the new GUI for HTTPS Setup in the system admin module.

I went to certificate manager, generated a new self signed cert. Went back to the HTTPS Setup in the system admin module, selected my new cert and hit install. Everything looks like it installed properly there.

I try to connect to this PBX using https now and I get the following:

"x.x.x.x normally uses encryption to protect your information. When Google Chrome tried to connect to x.x.x.x this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be x.x.x.x, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit x.x.x.x right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later."

This used to be pretty straight forward Freepbx 12, so I’m not sure where the disconnect is.

Freepbx: 10.13.66-12
Cert Man: 13.0.22
Sys admin:

This is holding up the roll out of two new systems so I need to get this figured out. Thanks.

I have this issue too on Chrome.

I didn’t think about this being a browser specific issue with Chrome because all of my other PBX systems with self signed certs will still allow me to connect.

Just tried Firefox on my two new builds and it will at least let me add an exception and connect to the PBX via HTTPS.

Chrome policies are different with Firefox, I couldn’t add any exception for Chrome. Chrome doesn’t support webRTC over http too, but Firefox supports.

What version of chrome? At this time im unable to replicate.

Version is : 51.0.2704.103 m

Could you replicate this issue under this version?

No I unfortunately can not.

Dear I update certman and webrtc to the latest version today. I think Asterisk has issue with SHA-256, and it isn’t possible to make any calls on http also.
(it doesn’t connect via https)

If you can’t get self signed to work I suggest getting a certificate from let’s encrypt or start ssl. They are both free.

If you mean you can’t make calls over webrtc that is something we also tested with sha-256 and it worked in our class lab three weeks ago. We haven’t changed anything since then.

I just downloaded the ISO from our downloads page. Installed from scratch. Set the system to edge. Upgraded all modules. Generated a certificate in Certificate Manager (SHA-256). Set it as default in Certificate Manager. Installed it in sysadmin. it worked in chrome 52.0.2743.41

I then created 1 extension and 1 user manager user. I linked the user manager user to said extension, then I enabled UCP login access and enabled WebRTC and connected to UCP using the HTTPS port. I made one phone call to *43 I checked echo in both directions, it worked.

1 Like

Thanks dear, you generate a self-signed with localhost?

I see this in asterisk when I make a call : chan_sip.c:10709 process_sdp: Can’t provide secure audio requested in SDP offer

and one question is what was your Asterisk version??
mine is 13.9.1

Yes I generated a self signed certificate with local host. my asterisk is 13.9.1

I’ve just now had this happen with the third PBX. It’s a virtual hosted PBX with Vitelity. Not sure if that has any bearing or not.

Brand new instance spun up. Tried using the default cert to see if I would have any better luck, and still can’t access HTTPS through Chrome.

So what’s the error and what version of FreePBX

version 13.0.143,

After update certman to 13.0.24, I can’t access via htts with Firefox too.
I receive: Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL in FireFox
and NET::ERR_CERT_INVALID in Chrome.

You did magics with your instance then no issue!!!

That’s a pretty complex error. Firefox has detected that issuer ‘ABC’ has issued a certificate with serial number 1 to ‘localhost.localdomain’, but has ALSO issued a certificate with serial number 1 to ‘anotherhost.anotherdomain’.

This happens when you mess around with self-signed certificates. Sorry, that’s a legitimate error, and I’m not sure how to get Firefox to forget the other one.

With chrome, there’s a ‘more information’ link you can click on. That’ll tell you what the problem is.

Thanks Rob, I solved the issue of Firefox with deleting cert8.db file.
But On Chrome I couldn’t.
Anyway after login, webRTC phone can’t register and I receive “Unable to connect to the UCP Node Server because: ‘Error: xhr poll error’” in ucp
and “ERROR[19481]: tcptls.c:397 tcptls_stream_close: SSL_shutdown() failed: 1” in Asterisk.

What is the cert 8.db file?