Chrome reports "not secure"

Hello *.

Running core 168 as of this writing, but this issue has been here for a long time. It’s not a show stopper, but looking for a solution just the same.

Chrome reports that all pages for IPFire (https://my-firewall-machine:444/etc…) are “Not Secure”. I use a certificate from letsencrypt (using dehydrated into aws route53) and the certificate is valid. However chrome complains of “mixed content” on the pages.

Is there anything to “fix” this? what prompted my question is that aws-cli “broke” causing my certificate to expire without any other warning. My plan is to add aws route53 to the ddns page so that we can use that for dynamic IP.

But first is there a way to get chrome to not complain?

Please and thank you.

Why do you care? You know you are not having any risk. Actually by using letsencrypt you are less secure.

The way to do this correctly, is to find out how to import the key generated locally by IPFire into the browser. I remember there was a thread discussing this topic some time ago. If my memory is correct, with chrome is not easy. However with firefox is extremely easy.

Anyhow the point is, why don’t you install a firewall in your brain and simply ignore those messages from your browser? If the problem is that chrome will not allow you to connect, I would consider this one another reason to ditch chrome. If you really must use chrome, try to find that thread. Maybe someone can post a link to it.

Edit: found it: New user, everything works, but can't log in from Chrome - #18 by boycottseattle

2 Likes

I’ll keep it polite, even though I was not offered the same curtesy.

  • chrome says: “not secure due to mixed content”, this is the crux of my question.

if this can’t be fixed, right now or ever, that’s all the answer I’m looking for.

That’s it. The rest of the commentary was not warranted, needed or relevant.

I spent my time, which is limited as one day I will die, trying to help you out. And you do not even look at the link which would solve your problem. Serves me well.

2 Likes

Perhaps this offers some help.

1 Like

This maybe it
This might be a WUI related?

So if I interpret this correctly.
The WUI may not be transferring all the content
over 443. Perhaps pictures etc. are being sent over port 80 un encrypted.
This maybe a WUI issue.
Not sure if this is something that Ipfire is going to fix. If related to web pages.
Hopefully this will not be the case in ipfire 3.0

My Seamonkey browser has always been set up to flag any web pages that are transmitted over encrypted links but contain any mixed content that is unencrypted.

This has flagged a few web sites but nothing has ever been flagged for IPFire.

I checked 5 different pages and opened the security page info for them. All the images on the pages I checked and all the links on the pages I checked were all https. I could not find any http content on the pages I checked.

@joseadias can you specify which WUI pages get flagged up as containing mixed content?

3 Likes

I installed Google-Chrome on my Arch Linux system.

It has a note that the site is insecure and it has put a line through the https but there are no messages about mixed content on any of the pages I tried.
Screenshot_2022-06-22_18-07-25

Looking into the details of the certificate messages Chrome gives the following information

Screenshot_2022-06-22_18-02-17

So it shows that the certificate is self signed and does not have an Alternative Name for the Subject but then it indicates that all resources on the page are served securely and that the connection to the site is encrypted and authenticated using TLS1.3, X25519 and AES_256_GCM.

There is nothing about mixed content.

Where are the Mixed Content messages being seen in Chrome?

4 Likes

@ Joseadias maybe you have a AV scanner on your system that intercepts browser-traffic. These solution sometimes use “fake” root-certificates for all HTTPS connections. This could lead to strange messages regarding security in browsers if one tries to access local hosts with self-signed certificates. But in the end it’s nothing to worry about.

4 Likes

For the records, I would be very interested on this aspect of the issue as well… :slight_smile:

1 Like

Just Installed Google Chrome to test this, I do not get any mixed content warnings when I click through the UI.

I have my own CA and created Certs for all my servers. My CA is loaded in to my OS and Firefox. I believe that Chrome uses the OS’s certificate stores.

Do you maybe go through a proxy? Or have an add-on installed which could affect.

Never really used Lets Encrypt so Im not sure if its something specific to that cert.