Path: ...!feeds.phibee-telecom.net!2.eu.feeder.erje.net!feeder.erje.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: <bp@www.zefox.net>
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Chromium and self-signed certificates
Date: Sun, 1 Sep 2024 00:23:58 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 30
Message-ID: <vb0c6u$17650$1@dont-email.me>
References: <v9g9tq$14v2$1@dont-email.me> <wwvfrr72n8d.fsf@LkoBDZeT.terraraq.uk> <v9lbmq$115gc$1@dont-email.me> <vatpki$n4it$1@dont-email.me> <wwvwmjxkpwi.fsf@LkoBDZeT.terraraq.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 01 Sep 2024 02:23:59 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="5705dda1b4a9d2187a4a660b805edbac";
	logging-data="1284256"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1/9eKT5LVWACMtwxaTNLGAg/4VhMVSvyUc="
User-Agent: tin/2.6.2-20221225 ("Pittyvaich") (FreeBSD/14.0-RELEASE-p9 (arm64))
Cancel-Lock: sha1:8uszpEeqUV5C418Qf6lQIPb1G6I=
Bytes: 2496

Richard Kettlewell <invalid@invalid.invalid> wrote:
> <bp@www.zefox.net> writes:
>> The reference to "scrambled credentials" implies a syntax error, some
>> kind of credential checker would be a useful tool at this point.
> 
> I see nothing about “scrambled credentials” above. If the browser got as
> far as displaying the certificate subject then it is certainly
> syntactically well-formed, your browser just doesn’t like the contents.
> 
Sorry, that terminology came from the informational window presented by
Chromium saying it didn't like the certificate.

> You will probably need at least a subjectAltName extension containing
> the DNS name of your server. This has been a cabforum.org requirement
> for real certificates for a long time and I don’t know of any reason it
> wouldn’t apply to self-signed certificates too.

The DNS name is displayed in the Common Name, pelorus.zefox.org, which I
thought was sufficient. 

Lawrence D'Oliviero's reply following yours touches on what I suspect
is my greatest misunderstanding: I thought a self-signed certificate
stood on its own. If I'm reading right (and it's early times still)
it looks like I need both  server certificate _and_  CA-certificate
files. That is something I didn't catch on to until just now.

Thanks for writing,

bob prohaska