When using
docker login mycustomwebsite.com
I run into issue
x509: certificate has expired or is not yet valid
So, the certificate on mycustomwebsite.com is actually expired. I'm ok with that since I will update it later and right now I don't have access to it.
How can I tell docker & docker-compose to accept expired certificate?
Additionally, how can I completely disable certificate validation if necessary?
I've search SO for answers, closest was to use "--insecure-registry" but such option does not exist for my version or for versions 1.3.0+ (unless I'm completely confused with how insecure-registry was supposed to work)
ps:
Docker version 18.03.0-ce / Docker-compose version 1.20.1 / windows 7
ps2: didn't find solution that works, had to wait until I was able to renew certificates
I have custom Windows driver which is used until now without signature. I want to sign it to avoid warning messages while installing on Windows 7 and allow installation on Windows 10 without need to disable some options. Currently I test with self signed certificate and the plan is to buy real certificate when tests are finished. There are 3 questions:
1) My first test is on Windows XP (VM). XP said that driver is signed at the beginning of installation but later was displayed a message "The software... has not passed Windows Logo testing to verify its compatibility...". The same message was displayed before with unsigned driver. Is it necessary to do something else for "Windows Logo testing" or it depends on type of certificate? Can it be installed on Windows 10 without such Windows logo testing?
2) The driver signature is made on .CAT file and by this way all files are identified. Is it necessary to sign the .DLL-s separately?
3) My current WDK is old version and Inf2cat tool does not have /os option for Windows 10 (10_X64). If the signature is for Windows 7 (/os:7_X64), can it be installed on Windows 10?
Which is your driver, kernel mode or user mode?
I don't know about user mode drivers well, so I answer about kernel mode drivers.
1)
If you want to install kernel mode driver on Windows10, it should be signed by Microsoft.
See also:
https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/
2)
No. You only need to sign .CAT file.
3)
You can install driver which have signature for Windows 7, if it has Attestation Signing.
https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release
I am facing strange issue on chrome while debugging local ASP.NET application on chrome. I am not able to open localhost without https. With Https it's giving error: Your connection is not private NET::ERR_CERT_COMMON_NAME_INVALID.
It was working on chrome till last update & is working on firefox & IE.
There is also no option in advanced setting to skip error & visit site.
Please help.
Finally banging head on desk for two days I found this setting in chrome://flags/ to Allow invalid certificates for resources loaded from localhost.
finally no disable all certificate error, only for localhost. Adding answer for someone struggling with same issue.
We have found that the best (and only) way to override Chrome is to type the phrase thisisunsafe at the Chrome generated webpage that blocks you. Just type the text directly to the page; there will be no text entry box.
We have servers on an internal network which use SSL but which are not externally signed and this is the only way to get to them.
Just when the page loads, don't click on page and type: thisisunsafe.
Page will automatically refresh and will load the content.
You can copy this tag and add to Google Chrome shortcut to bypass this warning permanently.
--ignore-certificate-errors
Updated - March 2020: Adding the above tag to Google Chrome shortcut does not work anymore. In order to temporarily turn off or bypass this annoying warning from Google Chrome, to go chrome://flags and search for this following entry:
Allow invalid certificates for resources loaded from localhost
After that, enable the option and restart your Google Chrome browser. By doing so, you can bypass the alert as long as you want until you turn off the option.
Source: Fix Your Connection Is Not Private Error In Your Browser
There is a short explanation over at serverfault as to what changed in the RFC spec to cause this. One of the suggestions is to use or add the IP address (presumably 127.0.0.1) to the name 'localhost' for the DNS property of the self-signed cert.
If you use the dotnet core tool: dotnet dev-certs https --trust (or run the export per instructions in devcontainer.json) the localhost certificate generated will use only the name 'localhost'.
But there are other options for generating self-signed certs including Powershell. But...rather than follow the older syntax, use Example #9 as found on the New-SelfSignedCertificate docs:
New-SelfSignedCertificate -Subject "localhost" -TextExtension #("2.5.29.17={text}DNS=localhost&IPAddress=127.0.0.1&IPAddress=::1")
This appears to resolve the cert error in Chrome (96.0.4664.45). It's necessary to close and re-open Chrome after generating the new cert and incorporating it into your web project or container.
I ran into this error and my problem turned out to be Charles (it's a web debugging proxying app). I needed to install a SSL Proxy Certificate for Charles.
Go to Help menu
SSL Proxying -> Install Charles Root Certificate
Open Keychain Access and enable/allow it
If you don't use Charles then obviously this answer doesn't help you at all.
I had similar problem when I tried to use my self signed certificate and run my xhtml app in browser under https and with tomcat. What I did:
in java's RE dir (usually Program Files\Java\jre1.8.0_202\bin) there is keytool and in command line I used this:
keytool -genkey -alias example -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 3650 -keystore "C:\yourdir\yourkeystore.jks" -ext san=dns:localhost,dns:yourdesktophostname,ip:127.0.0.1,ip:::1
Answer questions to create certificate which is created for 10 years, SHA-2 and what Chrome needs more: san(SubjectAlternateName).
I added below lines to tomcat's server.xml (usually Program Files\Apacha Software...\conf:
<Connector port="yourportnumber" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
compression="on" scheme="https" secure="true"
keystoreFile="conf/yourkeystore.jks"
keystorePass="yourpassword"
SSLVerifyClient="none" SSLProtocol="TLSv1.2"/>
Restart Tomcat.
Open the localhost address in Chrome browser (https:\localhost:yourport). It will tell "Not secure" at left side of address line and https crossed out Click on it and in that window press on certificate (invalid). It opens the certificate window and press on Details tab and press on copy to file button. Create crt file as instructed.
Open up Chrome Settings > Show advanced settings > HTTPS/SSL > Manage Certificates. Select Trusted Roots tab and import the crt file here. Edit this certificate and mark all check boxes.
Restart Chrome
It's 2022 now and web everywhere is using https protocol. Sooner or later the hacks and workarounds in this post will become more and more annoying or not work anymore. If you are developing web applications, even for testing, you will need to either get a free SSL certificate or issue your own certificate for in-house uses.
For free certificates, there are three popular web sites providing this service:
https://www.sslforfree.com/
https://letsencrypt.org/
https://zerossl.com/
If you're developing a local web application for your company intranet, you should generate your own SSL certificate using OpenSSL with the information below.
If you would like to generate your own certificates for different purposes, using the latest OpenSSL tool (version 3.0 series) becomes very convenient and relatively easy, too. Just follow the steps listed on this SocketTools page.
https://sockettools.com/kb/creating-certificate-using-openssl/
I have just completed and make our internal web server and application free of security warnings on any browsers. Once you've got familiar with the simple commands and you will be able to expand the OpenSSL uses to other web application projects.
I was trying to run my first .net Core web app in chrome and had same error. Using Version 84.0.4147.135 of Chrome.
To Resolve (quick fix),
When you run the application you will see two options 'Advanced' and 'Back to safety' on page, shown by chrome browser.
Click Advanced button, it will show you 'Proceed to localhost(unsafe)'. Click that and your application should work.
(I know above one is not a actual fix. The actual resolution is about adding localhost certificate as trusted root certificate.)
If you want to install certificate - When you will see error and if you click on error - 'NET::ERR_CERT_AUTHORITY_INVALID' it will show you certificate. Copy that and install into trusted root. I tried that however it didn't resolved my issue. I will update it if get resolution to this.
Just figured out how to solve this! Click on the Debug tab in the top menu and click on Debug Properties (right below Options), then scroll down and uncheck Enable SSL. Now try debugging your application again and it should work! It may take a minute to load but it definitely solves the problem...
I also had the same problem. By default Chrome uses google.com which didn't work for me but google.com.bd worked for me(I live in Bangladesh). So if u live in for example in the UK, google.com.uk might work.
Go to this link it will help,
https://superuser.com/questions/169014/chrome-set-search-bar-to-google-co-uk-not-google-com
For angular apps using ng serve, you might have something like this in your package.json file:
"start:windows": "ng serve --port 44470 --ssl --ssl-cert %APPDATA%\\ASP.NET\\https\\%npm_package_name%.pem --ssl-key %APPDATA%\\ASP.NET\\https\\%npm_package_name%.key",
Go to that folder, e.g. C:\Users\{username}\AppData\Roaming\ASP.NET\https, and delete the .key and .pem files for your project. Next time you run it should regenerate them correctly.
I have a Mac mini configured as the remotebuild server. Remote building my cordova app to the Mac was working ok in secure mode for a while but I was suddenly greeted with a Error: self signed certificate in certificate chain.
I've followed several suggestions of running the commands,
remotebuild certificates reset
remotebuild certificates generate
then updating the pin accordingly in Visual Studio to no avail. I can build successfully when running in non-secure mode.
remotebuild --secure-mode false
I've also tried cleaning my solution in VS2015, nuking the certs folder on the Mac and re-installing remotebuild. It may be worth noting that something in the build process was constantly corrupting the remote_ios.json file so I was having to keep removing that file to build every other time as explained here.
Any ideas on how to get around this error or why it would suddenly be a point of failure?
This "self signed certificate in certificate chain" error can happen if remotebuild generates a certificate under one identity (hostname / ip address) and is accessed via another one. The client will look at the certificate and find that it doesn't match what it expected, and so it does not trust the server. My guess is that it began failing for you due to a change in your network architecture.
If you know the identity that other machines will attempt to use, for example if they will use some.buildserver.local, then you can instruct remotebuild to generate a certificate using that identity via remotebuild --hostname="some.buildserver.local" --secure=true saveconfig && remotebuild certificates reset && remotebuild certificates generate.
Once you have created new certificates that should match client expectations, if you reconfigure them then they should accept the server's certificate.
Also apart from those I did restart my client computer as well.
Short description: I have a signed driver that passes SignTool verification but Windows refuses to load it with error: CodeIntegrity 3004 - file hash not found on system. How do I fix this?
Long description:
I'm using the Cypress Suite USB 3.4.7 development kit to create a USB driver for our instrument to run under Windows 7 64-bit. I've configured the INF with the proper IDs and the unsigned driver works fine as long as I by bypass driver signature enforcement. I want to create a signed driver and have been following the steps described in http://www.davidegrayson.com/signing/
I've created a catalog file using Inf2Cat v3.2 with the /os:7_X64 flag among others. I'm using SignTool /sha1 to sign and can verify signatures on the .cat and cyusb.sys files. File explorer shows that both files have digital signatures and the advanced tab shows "This digital signature is OK."
I plug in my USB device and it shows up as an Unknown device in device manager. I select Update Driver and I see a screen stating that the driver is signed by me. I continue and after a few moments the installation fails stating that the driver is not properly signed. The eventviewer shows a CodeIntegrity error 3004, "Windows is unable to verify the image integrity of CYUSB.sys because the file hash could not be found on the system"
I haven't been able to find an explanation for this "file hash" that could not be found. Any help with how to further troubleshoot and resolve this issue would be GREATLY appreciated!
The error message in the event log is misleading. The missing "file hash" is really a Microsoft Root level certificate. I had my driver signed by GlobalSign ObjectSign CA which was a valid signature but I did not specify the cross-certificate which links GlobalSign to the Microsoft root certificate.
To clearly detect the original error I needed to use SignTool Verify with the /kp switch which tests for kernel level permissions needed by this USB driver. Using that switch I got an error clearly stating it couldn't find the Microsoft root certificate.
I downloaded the cross certificate for GlobalSign here: http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx
Using /ac switch with SignTool Sign I was able to sign the .cat file with a chain that went down to the Microsoft root certificate. This driver successfully installed on a Win 7 64-bit system. Victory!