Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

TLS fails on linux self-signed certs

  • 7 replies
  • 29 have this problem
  • 10 views
  • Last reply by ctmattice

more options

on firefox 38.1.0 running on centOS 6.6 I'm having issue with TLS.

when this first happened I re did the cert using 2048 byte keys. This seemed to take care of the issue when navigating to addresses similar to https://localhost/somesite, however, if I try https://localhost:10000 it always fails with:

An error occurred during a connection to localhost.localdomain:10000. The server certificate included a public key that was too weak. (Error code: ssl_error_weak_server_cert_key)

   The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem.

The certificate Signature algorithim is -> PKCS #1 SHA-1 With RSA Encryption

The public key algorithim is -> PKCS #1 RSA Encryption

The key was create on 07/06/15 for a 10 year period, It is a Version 1 cert issued by myself with the following info E = ctmattice@permitepaints.com CN = localhost OU = hq O = permite L = Stone Mountain ST = ga C = us

on firefox 38.1.0 running on centOS 6.6 I'm having issue with TLS. when this first happened I re did the cert using 2048 byte keys. This seemed to take care of the issue when navigating to addresses similar to https://localhost/somesite, however, if I try https://localhost:10000 it always fails with: An error occurred during a connection to localhost.localdomain:10000. The server certificate included a public key that was too weak. (Error code: ssl_error_weak_server_cert_key) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. The certificate Signature algorithim is -> PKCS #1 SHA-1 With RSA Encryption The public key algorithim is -> PKCS #1 RSA Encryption The key was create on 07/06/15 for a 10 year period, It is a Version 1 cert issued by myself with the following info E = ctmattice@permitepaints.com CN = localhost OU = hq O = permite L = Stone Mountain ST = ga C = us

Chosen solution

This was a webmin problem.

To fix this edit /etc/webmin/miniserv.pem replace the cert and private key sections.

Use a new generated key and self-signed cert. If you follow centOS instructions the location of the files are /etc/pki/tls/private/ca.key and /etc/pki/tls/certs/ca.crt

Read this answer in context 👍 0

All Replies (7)

more options

Are there more than one cert listed in the certificate manager? Is the cert using ssl3?

more options

guigs said

Are there more than one cert listed in the certificate manager? Is the cert using ssl3?

No only one cert and ssl3 is disabled, only using TLS1.0 and above.

more options

Fallback tls is the third version if not specified. The Dh is not specified so its not the logjam encryption vulnerability.

Could you re-creating your self-signed key?

A work around I have seen is if it works in Windows you can export the certs working in another browser and import those versions, but this does not address the immediate issue.

See if it follows the CA guidelines. Edit the big one was the recent logjam algos: https://communities.bmc.com/thread/131855

Modified by guigs

more options

Replaced the self-signed cert, double checked no other private keys or certs were present. Still have the same issue.

Any thing with a address of https://example.com/somelink works

Tried https://example.com:443 it works as expected. The port # 10000 is typically used by webmin so I'll check over there and see if they have any reports about this

more options

Chosen Solution

This was a webmin problem.

To fix this edit /etc/webmin/miniserv.pem replace the cert and private key sections.

Use a new generated key and self-signed cert. If you follow centOS instructions the location of the files are /etc/pki/tls/private/ca.key and /etc/pki/tls/certs/ca.crt

Modified by ctmattice

more options

Just curious, is this on the server or a work around for a centOs pc?

more options

This was on a server.

The problem lies within webmin and discovered when I uninstalled then reinstalled the yum repository. In the installation process they create a self-signed cert which is too weak for the lastest firefox version.