Self-signed certs no longer work

Just tried buiding a new GVM 21.04 installation. Once I got through the changes from the previous release, I was able to complete a successful build on a Rocky 8 linux host.

However, I could not connect! Chrome and also EDGE seem to have been recently updated with somewhat stricter security checking. I got an error about the certs being invalid (the usual…), BUT, I could not log in with the exception of using an outdated copy of Firefox. All I got was the error about the cert being invalid. Do not pas go. Do not collect $200. No option to override and proceed.

In the past, with Chrome etc you’d get the error, but then had the option under the advanced tab to “accept and proceed”. This appears to no longer be the case.

I then shut things down and fired up gsad using “http-only” so I could at least do some testing (all good), and then ended up using actual real SSL certs for my GVM installation acquired from INCOMMON via out IT dept.

I cannot say FOR CERTAIN that this isn’t something specific to my own browsers, but I’m pretty sure this is a browser change across the board that will ultimately effect everyone building GVM from source and using the default certs.

I was able to still connect to my older 20.08 host, but I believe that still worked because that had been “accepted” as an exception long ago in my browser.

Anyway, not sure what can be done about it other than to give people a heads up in case you run into this.

hello @caseybea,

If I correctly understand the main issue, then the best Linux practice is to cover the GSA WUI via Nginx and implement a server-free signed Let’s Encrypt certificate for your FQDN of Rocky 8 Linux host.

It should be a basic configuration to provide port 443 to GSA 8080 and the rewrite rule to force tls when communication is coming to port 80.

SSL certificate could be your own organization signed by organization CAs.

With this configuration “behind Nginx” you are able to adhere to Chrome and Firefox restrictions.


Just setup a small TinyCA and Import the root trust into your browser. That will work fine and you don´t get any of this warnings. Firefox still accept override if you use private IPs for the Management. Chrome changed the policy and blocks mostly all IPMI, BMC, Network-Devices, Firewalls and VM Solutions by this move. It was industry standard to ship with self singed and this will not go away anyway.

Plus you certificates are technically the same as you pay for them an they could be valid for 10 years :wink:

1 Like

There is a quick and dirty way to get around this. When you get to the error on chrome, type (in all lowercase no spaces)


This gets you past the error and brings you to the webpage.
There is no prompt nothing just make sure you have the webpage selected and just type it in. I was so excited that I didn’t have to set up a CA for my local network to run Greenbone.

Quick buy some certificates from a commercial CA or use Let´s Encrypt with the “standalone” option.
Cheap and more trusted setup a TinyCA.

1 Like

I got tired of manually doing all of that … and wrote this:

quick and easy reverse proxy config with a pretty good nginx setup. (Gets an A+ from SSL Labs.)

I still need to add an output for cron to renew the scripts, but it does create a custom script for the renewal, just drop it in /etc/cron.daily …

Why a extra NGINX ? You really do not need a reverse proxy here. Just run the certbot in standalone mode and start the GVM Toolchain with that certificate.

Not all apps are that easy though. I’m using this in several places, this is just a quick and easy way to get there.