Solved: Re: How to create a certificate to avoid the message: ERR_CERT_AUTHORITY_INVALID

JohsH · ‎08-02-2023

Hello all,

When a screen layout is generated with WebIQ, for example, a URL is created with a secure adres.

This is a secure URL. The server on the ctrlX Core displays the site, which is opened with an external web browser (panel). The customer's screen (in this case an Eton panel) usually requires a security certificate.

This gives an annoying message at startup: Message: NET :: ERR_CERT_AUTHORITY_INVALID.

Now it is the case (and we are already a bit used to it) that both the UI of the ctrlX Core and the screen generated by Web-IQ are opened with this message. You don't want this with an end user. What needs to be done to stop getting this message. How and where to create this security certificate. Where should it be installed.

Sgilk · ‎08-02-2023

Hi JohsH,

In the case of the ctrlX CORE Web UI, you can follow these instructions (see PDF attached) to generate a certificate and key. You will need to install both in the CORE and the certificate in the browser you plan to view the web server with. (Thanks to @bostroemc)

For WebIQ, a different process is required. Here are the instructions from WebIQ on the topic. You may not be able to access them without a SmartHMI account.

WebIQ TLS Instructions

Here is another forum post about WebIQ TLS and the CORE.

WebIQ TLS ctrlX CORE

Here is an article on accessing data from a seperate web server in a WebIQ application.

WebIQ with Reverse Proxy

webiq-sk · ‎08-03-2023

Actually I don't see this directly related or caused by WebIQ. Please see here:

https://www.hostinger.com/tutorials/err_cert_authority_invalid

The source of the problem is that you either used a self-signed certificate for the TLS certificate or used a custom CA where the root certificate of the custom CA has not been imported into the browser OS certificate storage.

This is normal browser behavior as it does not know the certification authority used for signing the specific certificate.

The issue is between your TLS certificate and the user's browser. WebIQ just delivers your certificate.

Did you use a self-signed certificate or a custom CA for creating the certificate?

webiq-sk · ‎08-03-2023

Some further info: a browser requires a certificate to be signed by a known and valid certification authority, so either you create your own CA for that - then you'd have to import the CA root certificate into the certificate storage on all devices that should be able to access the HMI - or you use an FQDN by registering a public domain for your HMI - then you can use normal TLS certificates that don't show any warnings in the browser on any end device, however you always have to renew the TLS certificate at least once a year.

Please note that you cannot purchase official TLS certificates for IP addresses, only for fully-qualified domain names. This is valid for WebIQ as for any other website on the internet - technically, there's absolutely no difference here.

Sgilk · ‎08-03-2023

I agree. I was just trying to provide some guidance on configuring WebIQ to utilize the certificate for TLS.

MrAdam1983 · ‎08-15-2023

do we not just have the option to ignore certificates, at least in the designer?

webiq-sk · ‎08-15-2023

This has nothing to do with WebIQ, it's not WebIQ that's showing the error, it's your web browser. WebIQ Designer does not show any certificate errors because it's not using TLS.

Though you can disable these safety warnings in a web browser I highly discourage you from doing that for security reasons.

The errors occur because you have setup a not officially trusted certificate which is what your browser complains about. It's exactly the same issue you experience with any other website when you're using not officially signed TLS certificates.

MrAdam1983 · ‎08-15-2023

Ahh, i see this is different from what I am seeing. I will start a new topic. The error I am seeing is when WebIQ designer loads.

HmiGuide · ‎08-18-2023

We had similar problems until we used the reverse proxy, which is available since 2.14 of WebIQ. For more info on reverse proxy see: HowTo-view-content-from-mutiple-webServers-in-one-web-page

webiq-sk · ‎08-18-2023

@HmiGuide If you've been getting the exact error Message: NET :: ERR_CERT_AUTHORITY_INVALID (not any other, we have to be careful here to not mixup things) then it is definitely not caused by WebIQ, but by the certificate itself.

For other TLS error message this might occur due to using the wrong certificate files or not fitting TLS ciphers in the configuration settings.

CodeShepherd · ‎08-25-2023

As there was no response but topic seems still to be open:

@JohsH Could you add a more detailed explanation what you are doing? I also think we need to separate things like @webiq-sk mentioned.

Which ctrlX CORE app versions are used?
Which WebIQ version is used?
You are accessing ctrlX CORE web UI and WebIQ HMI on the other side?
Could you add screenshot of the browser pages you are accessing showing the error?
What is the URL you try to access for HMI?
Can you reproduce the behavior mentioned, so we could do some tests?
Did you test any of the solutions mentioned?

For general warning when accessing ctrlX CORE web UI see attachment in the first answer of @Sgilk.

The similar problems mentioned by @HmiGuide were caused by iframe integration in HMI screens and restrictive behavior of chrome/chromium based browsers. These are solved by using ctrlX CORE version 1.20 and WebIQ version 2.14. In that case the HMI is fully integrated in our reverse proxy and both sources are collected to a single one.