Kitz Forum
Internet => General Internet => Topic started by: Weaver on December 29, 2019, 01:13:41 PM
-
I am always getting a ping with LAN infrastructure kit that has one or more domain names assigned by me, has IP addresses assigned by me and which requires a certain digital certificate so that HTTPS will (hopefully) work properly. The problems I sometimes encounter of this kind are seen when using my HP switch and to a less noticeable extent with my ZyXEL WAPs. I’ll stick to using the HP switch in the main as an example of problems, in what follows, for the most part.
Say that I try to speak to the web admin UI of my HP switch using either http: or https: - I need to get a digital cert set up, somewhere, somehow if I want to use https: successfully ? How am I supposed to establish a trust relationship ?
I have various valid domain names that match my switch’s admin i/f. For example, something such as: switch.example.com. and switch. or switch-main.weaver-towers.example.com. All might exist and match (say) : 192.0.2.254 for the web admin UI of the switch. But I need to somehow declare the match.
How do I get my web browser to identify the switch as the desired unit, so that I the user can be confident that I am talking to the correct unit, and I also wish to rule out the possibility of malicious redirection ? I also want to avoid the risks arising from entering admin login passwords into the wrong random tin box because I got confused over domain names or literal IP addresses.
I do have options in the switch settings to get it to ignore or not ignore https queries. But disabling support for https is not something that I want to resort to at all.
There are some digital cert handling options in the settings of the HP switch and ZyXEL WAP boxen both, which I don’t understand at all. The HP switch is using a self-signed cert at the moment, which is about as much use as a chocolate teacup.
I could do with some basic hand-holding for total, complete and utter thickos - if anyone could guide me a little. ( NB pitched at a level bearing in mind that I am absolutely full to the eyeballs with painkillers after a bout of pain in my legs in the night.)
-
I'm not sure what problem you're having that simply allowing the self-signed certificate doesn't already solve?
Personally I just use .lan as a domain for all internal traffic, because how is an outside influence going to know my hostnames?
Or if you're really concerned, use the IP addresses directly, note which is which in notepad if you can't remember.
-
A digression - I don’t have any problems at all with domain names or IP address mappings.
—
I use globally valid domain names like switch.office.weaver-kitizen.com. ; I just quoted example.com before, because that’s the standard placeholder pseudo-domain reserved for use in documentation and I don’t want to expose real domain names here. I don’t have any trouble with such domains because in the case of IPv4 I have a static IPv4 address set up for the HP switch admin i/f. I have had dhcp-assigned fixed, effectively static, IPv4 addresses set up for the ZyXEL WAPs and they might as good be truly static, in fact I might just change to doing that and not use dhcp for those boxes any more. The domain names are defined on a global dns server at my ISP (at aa.net.uk) which has a number of A, AAAA and CNAME records defined for the boxes in my LAN. Those mappings are visible outside my LAN; that includes when away from home or on 4G.
—
I just don’t know what I’m doing when trying to set up digital certs properly. A self-signed cert does seem to be good enough, not surprisingly, because of inadequate trust relationships.
What do other people do in this situation ? If wanting to get https going with an infrastructure box such as here that has a fixed address (for admin i/f say) ?
-
When accessing from the LAN, IMO it doesn't matter at all.
When accessing from outside my home network, I use OpenVPN into my router so none of my LAN infrastructure needs to be publicly identifiable at all. They'd have to get into the LAN to find out WHAT to spoof in the first place. If that happens, you're already pretty screwed.
-
Has anyone else set up a digital cert for this?
And would someone who unlike me is digital-cert-literate care to pitch in and comment, setting me straight?
When I ping wap-01 for example, it works fine and it lists the expected ipv4 address xx.yy.zz.251. However iOS Safari on my iPad whines at me when I attempt to browse to (simply) the address "wap-01" or "https://wap-01". I get this error message:
This connection is not private this website may be impersonating "wap-01" to steal your personal or financial information. You should go back to the previous page [Go Back].
Safari warns you when a website has a certificate that is not valid. To learn more you can [view the certificate]. If you understand the risks involved, you can [visit this website].
If I just follow the "visit this website" link then all is well. The full form of the domain name is wap-01.myoffice.example.com (redacted) which is the target of CNAMEs and is the value returned by reverse domain lookup of wap-01 and is shown as the full expansion in the list of ping-replies with returned ipv4 addresses. If I browse to the form https://<full-form> then I get no problem at all.
I am wondering how to fix things so that every form works. Perhaps it’s just a bug in Safari?
—
If I use the form http://<short-form> and let CNAMEs which I have set up do their thing, then all is well and it all works (and shows the padlock too). (I have changed the Safari settings, iirc, to auto-upgrade connections from http: to https: - I found something buried deep in settings somewhere.) So for example http://wap1 or http://wap01 or http://wap-1 or http://wap-01 all work, so I believe, if memory serves. The padlock shows in the address bar line, despite the fact that I did not specify https: myself, and the browser address line changes to show the literal ipv4 address when I specify say http://wap1.
-
It depends what wap-01 is actually resolving to.
When you do a DNS lookup for a hostname only, there will be a default search domain that is used. For example, if I do a DNS lookup for wap-01 on my PC that has the hostname laptop.lan, it would look for wap-01.lan, because the DHCP server has specified .lan as my search domain.
As such, it would be complicated to have it work for all formats you want, as you'd need a certificate signed to match all of them, assuming you can even change the certificate on the device at wap-01.
-
I can change the cert on the device.
The default search domain is set up on my firebrick router correctly, to wap-01.myoffice.example.com the full form shown by ping.
> you'd need a certificate signed to match all of them,
Could it expand the name to the standard full form after adding the suffix if needed and then following CNAMEs and then check that against the cert? If you could just add all the alternate names to the cert that would do its wouldn’t it, as you say?
I don’t understand how to control the signing of the cert. in the case of the WAPs, I’m too thick to understand chapter 14 of the WAP user guide (https://drive.google.com/file/d/1UB_6r6hn60Rhdu2cRDKbDGjXjI80BqP0/view?usp=sharing), and I expect I will need some additional tools.
The HP switch has some info about cert configuration in the HP switch manual (very slow download link) (https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04622710)
-
Largely pointless exercise but if it's something you really want to do use a wildcard certificate to cover all devices within a single domain.
-
Are the rest of us having to deal with whinges and warnings from browsers when https-logging-in as admin to equipment such as switches, routers, waps, modems ? How do you deal with it ?
Could there be a permanent easy fix?
-
If all the devices are using RFC1918 IPv4 addresses and the web-browser is Firefox, just add an "exception" for the device address.
Some devices that are occasionally connected to my LAN will provoke a whinge due to the fact that the certificate offered is self-signed. Again, once everything has been checked, an "exception" is the simplest fix.
-
Neither of my web managed switches use SSL and I don't have it enabled on pfSense either. There is just no need for it on a residential LAN IMO.
The only place I do have it enabled is on the NAS/Server where I use Let's Encrypt to keep it updated. Although that's not currently open to the public Internet either, but probably will be once I'm on FTTP as my upload will be fast enough to avoid needing to buy more VPS storage and just host files directly from home.
If you're worried about security of these devices, wouldn't isolating their management on their own VLAN is perhaps a better idea anyway? But then if something on your LAN is compromised to the point this is an issue, I'd kinda suspect its the least of your worries.
-
Neither of my web managed switches use SSL and I don't have it enabled on pfSense either. There is just no need for it on a residential LAN IMO.
Agreed. But at the "Weaving Shed" the situation is more than just a residential LAN. I think it is best described as being in three separate sections: - A private, residential, LAN.
- A private, business, LAN.
- Guest Internet access for business customers.
-
Agreed. But at the "Weaving Shed" the situation is more than just a residential LAN. I think it is best described as being in three separate sections: - A private, residential, LAN.
- A private, business, LAN.
- Guest Internet access for business customers.
But surely if security is the issue, putting the management on its own VLAN is the key, rather than worrying about encryption?
-
> you're worried about security of these devices, wouldn't isolating their management on their own VLAN is perhaps a better idea anyway? But then if something on your LAN is compromised to the point this is an issue, I'd kinda suspect its the least of your worries.
No one has access to these devices who shouldn’t have. Security is not an issue.
[Guests are on a guest wireless LAN and are physically restricted from getting at things like the main switch. (Would have to break into the house.) The guest wireless LAN is protected by a ZyXEL WAP feature called L2 isolation ACL which prevents guests from getting access to other guests or to machines on the wired LAN apart from the default gateway and the DHCP server, which are both functions of the main router; the required exceptions are MAC addresses whitelisted in the L2_isolation exceptions ACL which are the minimum needed to allow successful internet access. Being at L2 it works like a VLAN anyway.]
-
Neither of my web managed switches use SSL and I don't have it enabled on pfSense either. There is just no need for it on a residential LAN IMO.
The only place I do have it enabled is on the NAS/Server where I use Let's Encrypt to keep it updated. Although that's not currently open to the public Internet either, but probably will be once I'm on FTTP as my upload will be fast enough to avoid needing to buy more VPS storage and just host files directly from home.
If you're worried about security of these devices, wouldn't isolating their management on their own VLAN is perhaps a better idea anyway? But then if something on your LAN is compromised to the point this is an issue, I'd kinda suspect its the least of your worries.
Chrome (and I think firefox also) wont cache either content or usernames if the page is plain http. For that reason I use https for everything now.
The way I handle the issue, is I have my own local CA, that CA is trusted in my certificate store. Then any certificates issued by it will be trusted by the browser, and they long lasting also. I have done this for pfsense, opnsense, openwrt, esxi, proxmox, asuswrt but not zyxel modem as I seem to have found no way to import one to that. Its the pfsense certificate tool I use to manage the certificates as well.
Without browser caching, I have had glitches in some web interfaces where I had to refresh pages to see all objects, openwrt glitches and asuswrt did as well.
-
> The way I handle the issue, is I have my own local CA, that CA is trusted in my certificate store.
I immediately thought about this, but I have zero clue as to how to achieve such an excellent thing.
-
Is that a nightmare to do ? I have seen hellish how-to guides which are very longwinded and presume that you’re running a web server, which I’m not (not unless I have to ?). I would just like a script or a C program; some code that _just works_ and I simply run it.
If I set up my own CA what would be the requirements to go with it? One raspberry pi hopefully. How would I get my systems to trust the associated top-level certs ?
-
On pfsense, its basically a mini wizard, if even that, all done in a gui. You only need to make the CA once, then you make each certificate based on that CA. Its something that if you have never done before, might seem scary, but once you know how to do it, its easy and quick.
In a CLI its not particularly difficult either, and arguably easier if you have a script to automate it. Just that CLI has a higher learning curve.
I remember watching a video revk made demonstrating automated signed certificates on firebrick's, on youtube somewhere, so that would perhaps solve your firebrick issue as I think its a built in feature on it.
-
Is there where you have to add a certificate to your browser to make it a trusted CA?
-
https://knowledge.digicert.com/solution/SO10668.html
bit harder in firefox.
https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
but this is only done once for the CA not for each individual certificate.