Running core 168 as of this writing, but this issue has been here for a long time. It’s not a show stopper, but looking for a solution just the same.
Chrome reports that all pages for IPFire (https://my-firewall-machine:444/etc…) are “Not Secure”. I use a certificate from letsencrypt (using dehydrated into aws route53) and the certificate is valid. However chrome complains of “mixed content” on the pages.
Is there anything to “fix” this? what prompted my question is that aws-cli “broke” causing my certificate to expire without any other warning. My plan is to add aws route53 to the ddns page so that we can use that for dynamic IP.
But first is there a way to get chrome to not complain?
Why do you care? You know you are not having any risk. Actually by using letsencrypt you are less secure.
The way to do this correctly, is to find out how to import the key generated locally by IPFire into the browser. I remember there was a thread discussing this topic some time ago. If my memory is correct, with chrome is not easy. However with firefox is extremely easy.
Anyhow the point is, why don’t you install a firewall in your brain and simply ignore those messages from your browser? If the problem is that chrome will not allow you to connect, I would consider this one another reason to ditch chrome. If you really must use chrome, try to find that thread. Maybe someone can post a link to it.
So if I interpret this correctly.
The WUI may not be transferring all the content
over 443. Perhaps pictures etc. are being sent over port 80 un encrypted.
This maybe a WUI issue.
Not sure if this is something that Ipfire is going to fix. If related to web pages.
Hopefully this will not be the case in ipfire 3.0
My Seamonkey browser has always been set up to flag any web pages that are transmitted over encrypted links but contain any mixed content that is unencrypted.
This has flagged a few web sites but nothing has ever been flagged for IPFire.
I checked 5 different pages and opened the security page info for them. All the images on the pages I checked and all the links on the pages I checked were all https. I could not find any http content on the pages I checked.
@joseadias can you specify which WUI pages get flagged up as containing mixed content?
I installed Google-Chrome on my Arch Linux system.
It has a note that the site is insecure and it has put a line through the https but there are no messages about mixed content on any of the pages I tried.
Looking into the details of the certificate messages Chrome gives the following information
So it shows that the certificate is self signed and does not have an Alternative Name for the Subject but then it indicates that all resources on the page are served securely and that the connection to the site is encrypted and authenticated using TLS1.3, X25519 and AES_256_GCM.
There is nothing about mixed content.
Where are the Mixed Content messages being seen in Chrome?
@ Joseadias maybe you have a AV scanner on your system that intercepts browser-traffic. These solution sometimes use “fake” root-certificates for all HTTPS connections. This could lead to strange messages regarding security in browsers if one tries to access local hosts with self-signed certificates. But in the end it’s nothing to worry about.