Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bernardes
Collaborator

Gaia Portal Certificate Imported but not working

Hello Mates!

I imported a certificate to Gaia Portal following the sk97648 process, but when I accessed the portal, the web browser yet shows me a warning.

Is there something more to do after importing the certificate and installing the policy? Any troubleshooting and workaround to follow?

Obs: The same certificate is be using by sslvpn and the sslvpn link works fine, without the warning.

Thank you!

0 Kudos
11 Replies
_Val_
Admin
Admin

Any screenshots of that warning?

0 Kudos
Bernardes
Collaborator

Hello @_Val_ 

The warning is the default web browser not secure HTTPS. As if it doesn't have any certificate yet.

image_2023-01-18_180101930.png

0 Kudos
Kaspars_Zibarts
Employee
Employee

Just assuming you have done basic checks regarding trusted root CA? I.e. you checked from it cert chain in browser and then compared root CA to your computer CA trust store or Firefox own cert store (depending your FF config)

0 Kudos
Bernardes
Collaborator

Hello @Kaspars_Zibarts 

I'm not sure about this information. Like I said, the same certificate is be using in both portal, gaia and sslvpn.

When I access the sslvpn it works fine, but when I access the gaia portal in 8443 port this shows the warning on any web browser.

Look the print bellow.

cert.pngnocert.png

0 Kudos
PhoneBoy
Admin
Admin

Post screenshots of the "working" and "non-working" portal certificates.
After literally typing "thisisunsafe" on the warning screen (or clicking the various buttons to ignore the warning), click on the lock icon on the browser.

I suspect the certificate is signed by one or more intermediate CAs.
In this case, you will need to include the entire certificate chain as part of the key you import.
More precisely, it means including the public key of all relevant CAs (root and intermediates).

0 Kudos
Kaspars_Zibarts
Employee
Employee

You need to check certification chain in the browser first, i.e. in Chrome:

 

image.png

 

Then check details for cert chain and see actual issuing root CA:

image.png

 

 Then compare it to your computer Root CA store:

image.png

 

image.png

 

Note that FF uses own trusted root CA store instead of windows OS, so you can google how to check that or else use Edge or Chrome

0 Kudos
Bernardes
Collaborator

Hello @Kaspars_Zibarts first of all, thank you very much for clarifying!

Look how it shows when I access the Gaia Portal via Chrome:

https-e.png

It shows the internal interface IP in the certificate place.

Why it happens if I import the certificate by SmartConsole the same way that the sslvpn was imported? 

 

bellow the sslvpn portal, works fine.

https-ok.png

Kaspars_Zibarts
Employee
Employee

You need to configure both - platform URL that matches name in the cert (or SAN list) plus import correct cert:

image.png

 

0 Kudos
Bernardes
Collaborator

@Kaspars_Zibarts the same certificate was imported for both portals, gaia and sslvpn.

sslvpn.pngportalcert.png

but how we can see when I access Gaia portal the certificate shows the gateway IP interface on the "Certificate Hierarchy" of Chrome. I'm not sure why it happens

0 Kudos
Kaspars_Zibarts
Employee
Employee

What does the name in main URL field resolve to? Cluster IP or member IP? 

Ideally you want separate names for each cluster member and matching cert. Or all listed in SAN list in the same cert

0 Kudos
PhoneBoy
Admin
Admin

What's the details of the certificate that shows the IP address?
I suspect it's a different certificate than the one you uploaded.

0 Kudos