Tim Carr's picture

I've just downloaded / installed the Ansible appliance, but the SSL certificate has been revoked for both the Ansible web address as well as the Webmin server.  How can I resolve this?  Thanks!

Forum: 
Jeremy Davis's picture

TBH, I'm not 100% sure what you mean when you say "revoked" SSL certificates?!

I can only assume that you mean the scary looking browser warning when you first log into a HTTPS page on a TurnKey server via a web browser?! Assuming I'm correct, that's expected behaviour. You just need to click through the warnings (there should be a "advanced" button that allows you to proceed) then you can access the web service behind it.

FWIW the default SSL/TLS certificates which TurnKey Linux uses are self generated on firstboot. As such, they are what is known as "self signed" certificates. Because they have not been signed by a trusted third party, they are considered untrusted by default. So long as you know to expect them they are not as bad as the security warning suggests. It's just that anyone can generate them and because of that, bad guys have used them to pretend that they're someone that they're not...

If you wish to generate "proper" TLS/SSL certificates, then assuming that your server is running on the internet and you have a domain name to use, and have it linked to your server (i.e. have DNS set up so that it resolves to your server) then you can upgrade Confconsole to v1.1.2 (see instructions on the v1.1.2 release notes) and then use Confconsole to generate a free Let's Encrypt certificate.

I hope that helps. If you need more of a hand and/or have further questions, please ask.

Tim Carr's picture

Hello, and thanks for the response.  Yes, I am familar with the warnings when a certificate is invalid.  Unorfortunately I'm getting a different issue - this is a warning that the certificate is revoked - which a lot of browsers won't allow you to get through to and don't even provide an option to bypass.  I've attached a screen shot from Chrome below.  It looks like firefox will allow you to bypass it, but it might be something you should be aware of for a future release of the platform.

https://ibb.co/26PshB8

Jeremy Davis's picture

Wow, ok. My apologies, sorry that I misunderstood.

That's really weird! The SSL/TLS certificate that all of our appliances have, should be a self signed one, freshly generated on firstboot!? So I have no idea how it could have been revoked!? It's especially weird that Firefox is reporting the same thing...

I'll double check to see if I can reproduce the issue...

Regardless, my previous note on getting a "proper" (i.e. non self signed) certificate still applies if you intend to set up a domain for your server.

Otherwise, you could try regenerating another self signed cert. You should be able to regenerate the default type cert that should have been regenerated on firstboot like this:

turnkey-make-ssl-cert

Please let me know if you continue to have issues.

Add new comment