VCSA 7 Cannot Open Because of VCSA HSTS Policy

Mindwatering Incorporated

Author: Tripp W Black

Created: 05/11 at 01:28 PM

 

Category:
VMWare
vCenter

Issue:
After applying a Firefox update, we could not open a self-certified VCSA 7 appliance.


Error Message:
Did Not Connect: Potential Security Issue

Firefox detected a potential security threat and did not continue to rconsole.mindwatering.com because this website requires a secure connection.

What can you do about it?

vcsa7.mydomain.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

The issue is most likely with the website, and there is nothing you can do to resolve it.


Solution:
In previous versions of Firefox on Mac, you simply selected to trust the server. This added a new entry into the keychain for Safar, and for Firefox, added an entry under the Servers tab in Certificates.
However, with the 76.0.1 update, this is no longer sufficient. You must import the self-certified CA for all browsers that are going to need access to the VCSA.

Steps to Resolution:
1. Download the CA certficate.
- a. While still on the error page, click the Advanced button.
- b. On the left side of the box, click the View Certificate link.
- c. On the Certificate tab/page, click the right-hand CA tab (e.g. vcsa7.mydomain.com CA 12345a3b )
- d. About half way down, click the option to download the PEM (cert). In the pop-up, click the Save File option and click Ok. Remember where you saved (e.g. Downloads).
Notes:
- The file will be named the name of the server, not the CA which is NOT intuitive.
- We tried the PEM chain option, but Firefox says that's not a root CA and an invalid file.
- You don't want to Open, because that will import it into the Keychain Access app, which won't work for Firefox, just Safari.
If you were doing this for Safari ... For security reasons, the CA cert file must be imported. Once You can import the CA into the Keychain Access app, to fix Safar, though. :-)

2. Import the CA PEM file into Firefox.
- a. Open preferences from the top menu bar, Firefox --> Preferences
- b. Click the Privacy & Security menu option on the left; then scroll down to the Security section, and the Certificates sub-section, which is at the bottom of the preferences page.
- c. Click the View Certificates button to display the Certificate Manager window.
- d. Click the Authorities tab, and click the Import... button below.
- e. Select the file, and click Open.
Note:
If you get this message: This is not a certificate authority certificate, so it can't be imported into the certificate authority list,
then you either downloaded the server certificate, or more likely, accidently downloaded the CA PEM chain instead of the CA PEM certificate file. Delete the file, and do step 1 above, again.
- f. If successful, you are presented with another dialog that says:
You have been asked to trust a new Certificate Authority (CA).

Do you want to trust "vcsa7.mydomain.com CA 12345a3b" for the following purposes?
- Trust this CA to identify websites.
- Trust this CA to identity email users.

- g.
If you are not sure you clicked the right file, click the View button to confirm. Close the pop-up when finished to return to the dialog/pop-up.
- h.
Click/enable the check box to Trust this CA to identity websites. Click the OK button.
- i. Back in the Certificate Manager window, click the OK button.
- j. Close the Preferences tab.

3. Return back to the VCSA tab. Refresh and login.
Note: if this doesn't work, it is likely that the checkbox to trust websites, didn't stay checked. Go back into the View Certificates, and the Authorities tab, locate the CA certificate, click the Edit trust button, and finally click the checkbox again, and click OK, and OK.





previous page