Opera Not Accepting Certificate (solved)

NollipfSense

@provels I am using Opera version 60 and when one clicks on manage certificate, it launches Keychain...there is no option to import the. certificate.

Gertjan

This https://wiki.wmtransfer.com/projects/webmoney/wiki/Installing_root_certificate_in_Opera ?

NollipfSense

@NogBadTheBad I had already done that before my first post...still no luck as Proovels had also discovered.

NogBadTheBad

@NollipfSense said in Opera Not Accepting Certificate:

@NogBadTheBad I had already done that before my first post...still no luck as Proovels had also discovered.

Well Opera isn't looking at the Certs trusted by your computer, works fine for me using Safari.

Screenshot 2019-06-14 at 16.20.16.png

You should either use a browser that works or post on the Opera forum, it's not a pfSense issue.

https://forums.opera.com/topic/25032/certificates-refused-by-opera-accepted-by-other-browsers

NollipfSense

@NogBadTheBad Well, I might try another browser other than Safari or Firefox as these are my regular web browsing browsers.

NollipfSense

@Gertjan I am using Opera version 60 and when one clicks on manage certificate, it launches Keychain...there is no option to import the certificate. It doesn't present those pop up window as in the Windows OS.

Gertjan

Not a solution, but :

I just tried a self-mode cert, installed it in IE11 (Windows 7) -> This was a no go : vert is self signed IE refuses without any possible exception possible.

Firefox was more specific : self signed certs are refused - although I guess this could be over ridden with some internal settings. But in that case ALL self signed certs would be trusted, also the ones it finds on the net. That's a huge no go.
Better : I was using a Let's Enscrypt cert for my pfSense ** access, and "HTTP Strict Transport Security" was active.
this means I just can't replace certs for other certs (using other signing offices like myself) : this was a no go also.

What works just great : if you can trust a 30 cm long Internet cable, it is possible to leave the GUI on plain http.
It's just you on the LAN - and only YOU - communicating over a 30 cm cable. Just watch that cable, and check that no body is wire tapping it, and you'll be safe. You shouldn't mind that info goes over that cable non-encrypted.
Put all other users on an second OPTx interface, and on this interface you just lock down any GUI access.
You'll be very safe, no cert hassle - nothing to set up, nothing to maintain.

** Let's Enscypt root certs are trusted by any browser so this is also a click-it-and-forget-it solution.

johnpoz

Not sure why this is so difficult - can you not google?

On windows opera 60 just uses the windows cert store... Click on the manage your certs and install it..

NollipfSense

Thanks guys for chiming in...I got it working with Vivaldi browser that is very surprising considering it's a chromium like browser just like Opera. So, Vivaldi is for WebGUI.

NogBadTheBad

@johnpoz He's using a Mac John

johnpoz

Then trust the CA on the mac..

Simple google show to click it to open it up on keychain access, copy it to system and then set its trust to always trusted..

NollipfSense

@johnpoz said in Opera Not Accepting Certificate (solved):

Then trust the CA on the mac..

Simple google show to click it to open it up on keychain access, copy it to system and then set its trust to always trusted..

John, I said in the first post that it was set to always trust. It not the first time I am dealing with certificates.

jahonix

I see this §$%&#!+ behaviour as well and that's why I switched to Opera (from Safari) where it was handled a bit easier.
I still don't get it why this is enforced on RFC1918 addresses as well. Makes no sense and is a PITA. Safari wants me to enter admin pwd just to access the GUI of a new bought switch (to unsuccessfully save an exception in keychain).
RFC1918 is RFC1918. That's why we have it.
</rant>

johnpoz

If the rfc1918 is not listed as a san in the cert then your browser is right to yell at you about it..

And there is a big difference in trying to trust or add an exception to a self signed and trusting a CA that signed a cert.. Your first post was about the first and you can trust that cert all day long and new browsers will still yell about it..

As to your first time working with certs - why are you here then? Asking the question? This is all basic 101 level shit..

NollipfSense

@johnpoz said in Opera Not Accepting Certificate (solved):

As to your first time working with certs - why are you here then? Asking the question? This is all basic 101 level shit..

John, I am not the only one that had certificate issue as others had posted to this thread to confirm. The issue wasn't about basic 101 level, and not everyone is a network engineer. I am a network enthusiast, and I got it resolved.

provels

@johnpoz said in Opera Not Accepting Certificate (solved):

If the rfc1918 is not listed as a san in the cert then your browser is right to yell at you about it..

This is what my issue was. Once I recreated the FW cert to include the IP in the SAN, it just worked. I was also able to use the FW CA to create one for my FreeBSD NAS (XigmaNAS), export the cert and the key and write them into the appropriate fields in the NAS setup. As far as this being "101 shit", I managed plenty of certs in my career but never needed/wanted to install one on an inside network device. Again, the team knew where the browser was going, so why bother? Besides, if we all knew everything, we'd be answering the questions instead of asking them...

johnpoz

What I mean by 101 shit, is trusting the ca... And what a CA even is.. To be honest anyone understands what a CA is and even saw that the cert manager allows you to create ones via a gui should be an eureka moment for anyone wanting to trust certs ;)

As to using them on other devices locally, and it working before just doing an exception - yeah that is all changing.. Your no longer going to be able to do that.. I would bet any and all browsers end up going there at some point.