Create a new certificate - Windows does not have enough information to verify this certificate

[Anders Eriksson]

I have just installed and setup Gitblit and it looks great.

Everything (that I've tried) works with http, but I thought that I should add some security and use https and ssl.

I have created a new certificate using authority.cmd by just editing the hostname and my password.

It has created the certificate and I have restarted using gitblit.cmd

I then opened the https page in IE11 and got the "I don't trust this". Installed the certificate and rebooted and waited (couple of hours just in case)

But I still get the "I don't trust this" error in all browser and in certmgr.msc it get 

" Windows does not have enough information to verify this certificate"

So what have I done wrong and how do I get it right?

// Anders

[James Moger]

I haven't used IE11 yet.  It sounds like you are on the right track; you have to instruct IE to trust your generated root/CA certificate.

-J

--
You received this message because you are subscribed to the Google Groups "gitblit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gitblit+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Anders Eriksson]

The strange thing is that when I import it IE says "The import was successful!", but when I look at it in the certmgr it says " Windows does not have enough information to verify this certificate".

I'm using Windows 7 with all the latest Service Pack.

It should just be

1. Create a certificate with authority.cmd, hostname = gitblit.foo.me, password=xxxxx

2. Start gitblit

3. Access https://gitblit.foo.me

4. Import certificate

Done. it should work, but...

Anyone that can see anything wrong in my reasoning?

// Anders

[Anders Eriksson]

After a lot of Googling ...

I think that the problem is in new certificate defaults

What should the values be for host: gitblit.foo.me ?

As I understand it (which is not correct since it's not working)

site name should be the actual hostname gitblit.foo.me

validity 365

organizational unit (OU): Development

organization (O) : Acme Inc

locality (L): Somewhere

state or province (ST): XX

country code (C): SE

If I use these values then the browsers can't find the page.

https://gitblit.foo.me

How do I start logging to a file and where would that file be?

Yeah, and how do I delete the current certificate?

// Anders

[James Moger]

What should the values be for host: gitblit.foo.me ?

As I understand it (which is not correct since it's not working)

site name should be the actual hostname gitblit.foo.me

It should be whatever hostname you enter into the browser to get to Gitblit.

https://hostnamehere.com/gitblit

 

How do I start logging to a file and where would that file be?

If you are using GO on Windows and you have installed the service it should be logging to a daily log file in the "logs" dir, I think.  If not review this page: http://gitblit.com/setup_go.html#H8

 

Yeah, and how do I delete the current certificate?

Delete (or rename) the keystore and truststore files from your data directory.  Then start the Authority to generate new ones.

-J

[Anders Eriksson]

Ok, I think I need to start all over...

Is there someway of moving the repos into the new gitblit?

I'm thinking I should put the repos outside of the gitblit folder structure (just in case)

// anders

[James Moger]

http://gitblit.com/setup_go.html#H2

-J

[Anders Eriksson]

Finally!!!

I have some success with https and certificates.

Just for the record I will outline how I did it (maybe there some else that is as stupid as I)

Running Gitblit GO on a network (i.e. not on localhost)

1. Install Gitblit

2. Configure Gitblit according to the documentation

2. start authority.cmd

3. In the first dialog enter

Site name:  Here you MUST enter the hostname of your gitblit server. E.g. gitblit.mydomain.com.

The other fields let them keep their default value

4. Enter the store password used in server.storePassword when prompted. The one you changed during the configuration

This generates an SSL certificate for localhost.

5. Change localhost to your hostname.

Click the new ssl certificate button (red rosette in the toolbar in upper left of window)

Enter the hostname or ip address. The same hostname as you entered for Site name.

Make sure the checkbox serve https with this certificate is checked

In the keystore password prompt, enter the server.storePassword password

All of the above (except that the site name MUST be your hostname) is in the documentation!

http://gitblit.org/setup_go.html

Now you need to make your computer/computers trust this certificate.

Gitblit Certificate Authority is the issuer of your certificate and to trust your certificate you must also trust the issuer.

1. Make sure that you have access to the file: Data/Cert/ca.cer

This file contains the certificate for Gitblit Certificate Authority

The data directory is default under the gitblit directory.

2. Click Start, click Start Search, type mmc and then press ENTER.

3. On the File menu, click Add/Remove Snap-in.

4. Under Available snap-ins, click Certificates,and then click Add.

5. Under This snap-in will always manage certificates for, click Computer account, and then click Next.

6. Click Local computer, and click Finish.

7. Click OK.

8. In the console tree, double-click Certificates.

9. Right-click the Trusted Root Certification Authorities store.

10 Click Import to import the certificates and follow the steps in the Certificate Import Wizard. 

Here you want to import ca.cer

More info see: https://technet.microsoft.com/en-us/library/cc754841.aspx

Now you have trusted Gitblit Certificate Authority and now you can add the certificate for your Gitblit server.

1. Start IE as administrator 

2. Enter the url to you gitblit server: https://gitblit.mydomain.com

3. You will get: There is a problem with this website's security certificate. Click Continue to this website (not recommended).

4. Click on Certificate Error on the right of the url

5. Click on the Install Certificate... button

6. Select Place all certificate in the following store and click Browse...

7. Check Show physical stores

8. Highlight the Trusted Root Certification Authentications and select Local Computer

9. Click OK and click Next

10. Click Fishish

Now (hopefully) you will get a dialog saying: This certificate is intended for the following purpose(s): 

All application policies

http://howtonetworking.com/Internet/iis8.htm

In this Step by step guide there is a dialog after you have installed your certificate that want to install the

issuers certificate. Since I never got this. I had to do what I have written above...

// Anders

(crossing fingers and hoping that I have written everything correct) 

[James Moger]

Interesting.  Thanks for digging in and sharing your work.

Site name = hostname must be a new requirement for IE11.  It all worked as documented when I wrote that a couple years ago.

-J

--