Chrome Won't Load Kibana (Broken SSL)
peasead opened this issue · comments
Chrome Version: 78.0.3904.108 (Official Build) (64-bit)
OS: macOS 10.15.1 (19B88)
ROCK: CentOS 7.7.1908 (Core)
ROCK Version: 2.5.0-1911
Error: This page is not secure (Broken HTTPS)
I'm not sure if it's the fact that this is a self-signed certificate or not, but Chrome won't let me continue. I can continue with Safari.
I can work around it by ignoring Chrome SSL certificate errors, but that's not a supported configuration for Chrome:
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ignore-certificate-errors &> /dev/null &
I also tried adding rock to my /etc/host file, because SSL is finicky about DNS, no dice.
Here is the cert info:
echo -n | openssl s_client -connect 192.168.132.170:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > rock.cert
depth=0 C = US, ST = MO, L = St. Louis, O = RockNSM, OU = NSM Ninjas, CN = rock, emailAddress = info@rocknsm.io
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = MO, L = St. Louis, O = RockNSM, OU = NSM Ninjas, CN = rock, emailAddress = info@rocknsm.io
verify return:1
DONE
openssl x509 -in rock.cert -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
26:24:2b:e4:07:c4:35:8f:55:9f:21:86:82:e0:6e:50:af:27:7e:9c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=MO, L=St. Louis, O=RockNSM, OU=NSM Ninjas, CN=rock/emailAddress=info@rocknsm.io
Validity
Not Before: Nov 8 02:55:45 2019 GMT
Not After : Nov 5 02:55:45 2029 GMT
Subject: C=US, ST=MO, L=St. Louis, O=RockNSM, OU=NSM Ninjas, CN=rock/emailAddress=info@rocknsm.io
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:d3:99:76:e0:11:fd:24:9d:4a:54:ac:6e:ae:0f:
d5:fa:a8:6b:c6:e1:7f:73:26:79:c2:99:e0:26:e7:
9e:c6:74:5b:da:44:df:59:e2:02:2e:75:8f:45:79:
c6:cb:95:6c:88:37:fd:0a:05:2a:57:43:32:b7:e8:
a4:92:fa:00:9d:34:4d:48:4e:c1:27:c3:61:3a:43:
df:47:9a:f7:99:d1:e4:a0:98:1a:91:0a:d2:49:1c:
b5:4a:e1:41:2d:17:18:15:9c:b9:85:4f:a8:2e:d0:
59:f6:11:71:59:af:05:72:4b:1d:bc:7b:9f:31:a8:
91:99:3d:a3:8a:74:f7:a8:1d:cb:80:80:38:ce:a9:
ef:01:61:2d:07:56:76:f9:c5:22:89:46:61:14:35:
91:fd:5f:ec:2f:65:50:9b:db:e7:4e:df:0b:dd:43:
38:4e:9f:66:90:64:3c:99:bc:94:e3:ba:ee:46:e3:
ca:0e:1b:48:17:a4:5a:cb:0d:03:d5:d2:1a:3f:a3:
b6:0c:38:69:7d:b1:dd:d5:e2:7d:5a:c1:19:25:be:
a3:6d:99:9e:ba:57:7d:d7:14:cd:51:79:a3:99:6e:
4b:50:57:26:0f:13:b4:13:1d:3f:8b:7d:b7:88:b4:
a1:32:91:3e:1a:da:83:84:65:e5:23:b9:4e:d7:a4:
0f:07:ab:a4:6d:55:25:c0:a9:1f:02:f2:83:6a:f7:
19:f8:2c:0a:03:6b:11:a9:2f:c4:14:30:a3:55:a3:
59:f4:d0:e7:4d:da:21:e9:3e:b1:09:39:72:93:fe:
13:ac:97:16:f3:4e:cd:48:82:44:da:b0:86:c2:de:
f7:b0:b5:64:6a:48:71:0f:77:f4:92:80:70:08:89:
72:10:3b:e2:63:6d:21:a8:ac:93:53:c2:6f:e2:f5:
17:84:cb:f0:d4:59:a9:be:d4:bf:45:f1:dc:19:21:
32:d9:00:6b:ab:07:06:de:16:57:fe:4e:74:a5:7e:
7b:ef:e7:c4:1b:d7:f6:89:cd:00:d7:36:23:40:e8:
e9:20:37:bc:fc:0e:97:d6:8c:4d:81:ac:47:2a:07:
d9:0f:b9:2f:6f:5f:32:7c:f1:31:9f:01:78:60:44:
16:22:d4:33:b2:96:14:18:c7:f6:82:17:b7:31:ae:
08:f5:9c:00:f0:e7:33:64:0c:fb:cf:19:f0:9c:f1:
17:7f:6b:43:e5:22:1b:4e:a6:a1:e3:96:6f:ce:d7:
ba:c5:aa:89:88:da:a1:c2:d0:9b:d6:2a:cc:cc:39:
a5:3e:cc:fa:e1:29:f0:80:2e:14:fe:a8:82:7d:3f:
45:09:f8:05:d9:5c:52:04:56:d2:84:83:b4:f8:b6:
e3:c1:af
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:rock
Signature Algorithm: sha256WithRSAEncryption
92:f2:c5:fe:a8:5d:3d:31:1b:d4:08:82:9f:02:09:b5:b8:13:
dc:c1:27:0b:a9:5b:ca:0e:91:9b:87:fa:7e:e9:bc:d4:ca:91:
f1:1a:68:c1:2f:28:7c:ab:4b:ed:eb:09:00:28:dd:14:c4:5f:
d7:05:5a:b5:66:05:59:af:d3:93:44:fc:7e:59:d3:2b:fa:a8:
e8:be:3d:8e:f1:72:54:0e:5c:35:32:25:bf:94:77:eb:fc:7f:
de:80:46:d3:6d:44:f6:b1:c8:d5:91:33:2f:4d:f4:04:65:2f:
6a:c8:b5:71:f5:0a:39:3c:62:51:20:d9:cc:b5:ce:3a:d8:35:
67:0a:df:63:cc:29:f1:d5:47:71:2c:5f:b7:3e:b1:99:42:4c:
48:81:5c:d5:fd:c2:8e:e1:d5:0a:44:5d:b2:73:10:60:13:6b:
3c:a1:bd:76:51:18:2b:05:82:41:d0:06:07:e5:fd:62:a1:0e:
18:3e:fb:d8:90:0c:de:60:f4:40:ee:0b:e0:a5:e5:37:b8:5b:
9e:c3:51:ad:48:73:7f:00:bf:dc:0c:e1:ef:22:0f:6e:7d:c6:
3e:c4:a6:8d:46:f1:09:d5:ce:8e:1d:74:6e:91:09:33:14:5d:
bd:66:e4:39:3c:62:b9:f4:1c:86:b0:d1:da:52:5d:65:c9:c8:
f9:a6:5f:93:c4:2e:9a:f1:d2:f0:cd:80:49:e2:a3:0c:11:de:
04:46:a7:5c:09:8f:9f:6a:cd:02:2f:03:9c:e0:6c:85:a6:44:
09:d4:3f:e6:2b:2e:9a:c0:9d:ac:43:5d:82:5f:17:1a:90:a2:
94:34:c5:8b:8d:5b:51:4c:cb:3b:87:7c:9c:c7:12:5a:58:54:
1b:32:bd:93:07:ce:0d:39:91:f2:47:b7:38:32:ee:79:8b:e3:
40:5f:b8:5d:1d:e6:97:c5:3c:4e:fa:fe:81:7b:93:18:05:ea:
3d:73:4e:81:d7:22:21:b0:d8:5b:27:64:2c:20:0f:cc:27:23:
79:c8:e9:51:5a:a4:3f:8c:38:5c:0f:20:92:7d:c9:7b:33:ed:
66:4b:f0:ad:fb:71:b9:89:6b:07:dc:82:8b:e1:16:bc:04:86:
88:e2:84:f8:25:da:da:46:d1:43:12:d8:ab:5b:a1:f8:39:e3:
4b:a3:da:18:c0:0f:36:dc:22:8a:ce:7f:bd:9f:50:96:ac:ef:
cf:37:d0:19:7e:6b:be:ea:2c:82:09:28:dc:13:10:fe:d0:5e:
1c:fb:60:f1:2d:5a:bf:a2:ad:32:18:e1:5a:0d:bb:88:45:39:
c3:f1:4d:43:62:2b:b9:a3:0a:6a:cd:49:4f:22:3e:cb:bf:d1:
ea:16:09:d7:fa:63:61:39
-----BEGIN CERTIFICATE-----
MIIFqzCCA5OgAwIBAgIUJiQr5AfENY9VnyGGguBuUK8nfpwwDQYJKoZIhvcNAQEL
BQAwgYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNTzESMBAGA1UEBwwJU3QuIExv
dWlzMRAwDgYDVQQKDAdSb2NrTlNNMRMwEQYDVQQLDApOU00gTmluamFzMQ0wCwYD
VQQDDARyb2NrMR4wHAYJKoZIhvcNAQkBFg9pbmZvQHJvY2tuc20uaW8wHhcNMTkx
MTA4MDI1NTQ1WhcNMjkxMTA1MDI1NTQ1WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNV
BAgMAk1PMRIwEAYDVQQHDAlTdC4gTG91aXMxEDAOBgNVBAoMB1JvY2tOU00xEzAR
BgNVBAsMCk5TTSBOaW5qYXMxDTALBgNVBAMMBHJvY2sxHjAcBgkqhkiG9w0BCQEW
D2luZm9Acm9ja25zbS5pbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
ANOZduAR/SSdSlSsbq4P1fqoa8bhf3MmecKZ4CbnnsZ0W9pE31niAi51j0V5xsuV
bIg3/QoFKldDMrfopJL6AJ00TUhOwSfDYTpD30ea95nR5KCYGpEK0kkctUrhQS0X
GBWcuYVPqC7QWfYRcVmvBXJLHbx7nzGokZk9o4p096gdy4CAOM6p7wFhLQdWdvnF
IolGYRQ1kf1f7C9lUJvb507fC91DOE6fZpBkPJm8lOO67kbjyg4bSBekWssNA9XS
Gj+jtgw4aX2x3dXifVrBGSW+o22ZnrpXfdcUzVF5o5luS1BXJg8TtBMdP4t9t4i0
oTKRPhrag4Rl5SO5TtekDwerpG1VJcCpHwLyg2r3GfgsCgNrEakvxBQwo1WjWfTQ
503aIek+sQk5cpP+E6yXFvNOzUiCRNqwhsLe97C1ZGpIcQ939JKAcAiJchA74mNt
Iaisk1PCb+L1F4TL8NRZqb7Uv0Xx3BkhMtkAa6sHBt4WV/5OdKV+e+/nxBvX9onN
ANc2I0Do6SA3vPwOl9aMTYGsRyoH2Q+5L29fMnzxMZ8BeGBEFiLUM7KWFBjH9oIX
tzGuCPWcAPDnM2QM+88Z8JzxF39rQ+UiG06moeOWb87XusWqiYjaocLQm9YqzMw5
pT7M+uEp8IAuFP6ogn0/RQn4BdlcUgRW0oSDtPi248GvAgMBAAGjEzARMA8GA1Ud
EQQIMAaCBHJvY2swDQYJKoZIhvcNAQELBQADggIBAJLyxf6oXT0xG9QIgp8CCbW4
E9zBJwupW8oOkZuH+n7pvNTKkfEaaMEvKHyrS+3rCQAo3RTEX9cFWrVmBVmv05NE
/H5Z0yv6qOi+PY7xclQOXDUyJb+Ud+v8f96ARtNtRPaxyNWRMy9N9ARlL2rItXH1
Cjk8YlEg2cy1zjrYNWcK32PMKfHVR3EsX7c+sZlCTEiBXNX9wo7h1QpEXbJzEGAT
azyhvXZRGCsFgkHQBgfl/WKhDhg++9iQDN5g9EDuC+Cl5Te4W57DUa1Ic38Av9wM
4e8iD259xj7Epo1G8QnVzo4ddG6RCTMUXb1m5Dk8Yrn0HIaw0dpSXWXJyPmmX5PE
Lprx0vDNgEniowwR3gRGp1wJj59qzQIvA5zgbIWmRAnUP+YrLprAnaxDXYJfFxqQ
opQ0xYuNW1FMyzuHfJzHElpYVBsyvZMHzg05kfJHtzgy7nmL40BfuF0d5pfFPE76
/oF7kxgF6j1zToHXIiGw2FsnZCwgD8wnI3nI6VFapD+MOFwPIJJ9yXsz7WZL8K37
cbmJawfcgovhFrwEhojihPgl2tpG0UMS2Ktbofg540uj2hjADzbcIorOf72fUJas
78830Bl+a77qLIIJKNwTEP7QXhz7YPEtWr+irTIY4VoNu4hFOcPxTUNiK7mjCmrN
SU8iPsu/0eoWCdf6Y2E5
-----END CERTIFICATE-----
Moved to community.
I don't think that this is a localized issue, so I'm reopening this as a bug in the way the certificates are generated.
Im able to open Kibana with Chrome running on Windows 10 using the Rock 2.5 ISO
rocknsm-20191126-08_00_58
Thanks @chris-ratliff. I went back to thinking that it was my instance of Chrome, so I ran /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-extensions --disable-plugins to remove plugins and extensions from the mix, same problem.
However, I did get some new errors in the cli that makes me think that this might be a Catalina thing, specifically this little gem:
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-extensions --disable-plugins
[10274:37895:1205/224216.775699:ERROR:binary_integrity_analyzer_mac.cc(28)] Could not initialize mac signature evaluator
[10281:20487:1205/224233.161879:ERROR:ssl_client_socket_impl.cc(969)] handshake failed; returned -1, SSL error code 1, net_error -206
Chrome looks legit, so that's a relief
codesign -d -vvv /Applications/Google\ Chrome.app
Executable=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
Identifier=com.google.Chrome
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=1789 flags=0x12a00(kill,restrict,library-validation,runtime) hashes=47+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=5a07be3d63816933a0de7e9131539e2c24b5ca60
CandidateCDHashFull sha1=5a07be3d63816933a0de7e9131539e2c24b5ca60
CandidateCDHash sha256=f36f188759655416f3d9415b93676574c4ffc4c9
CandidateCDHashFull sha256=f36f188759655416f3d9415b93676574c4ffc4c94824b6356086e8d540a63ca2
Hash choices=sha1,sha256
CMSDigest=ad10cfc40dd71af76e68359f67ea0ef03c65b389151adfa9907e4ed65dc37d73
CMSDigestType=2
CDHash=f36f188759655416f3d9415b93676574c4ffc4c9
Signature size=9042
Authority=Developer ID Application: Google, Inc. (EQHXZ8M8AV)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Nov 17, 2019 at 12:39:46 AM
Info.plist entries=36
TeamIdentifier=EQHXZ8M8AV
Runtime Version=10.14.0
Sealed Resources version=2 rules=13 files=60
Internal requirements count=1 size=204
Searching binary_integrity_analyzer_mac.cc(28)] Could not initialize mac signature evaluator is a bunch of Chrome issue.
Does anyone else have Version 78.0.3904.108 (Official Build) (64-bit) running on macOS Catalina?
Just had someone try to reach the site via their MacBook and we are experiencing the same issue as you.
Addressed in the documentation here: rocknsm/rock-docs#54
You can use the "thisisunsafe" workaround. It's a Chrome macOS issue, not a ROCK one. In the future, we'll sign the TLS cert with a CA.