Trusting CR setup with a Chromebook

Typing https://blah-blah.local with Chromebook returns a message “Your Connection is not Private” and NET_ERR_CERT_AUTHORITY_INVALID

it also includes two buttons … (Advanced) and (Back to Safety)

selecting (Advanced) opens up more warning dialog about getting hacked. Ignoring and proceeding goes to the Start9 login screen. At that point I shut it down.

Is there a way to get a trusted connection on a Chromebook?

This may be normal based on other users who reported similar experiences with Chromebook.

To try to isolate the issue, I would suggest accessing your https://adjective-noun.local page from a different browser on your Chromebook. For example, if you are attempting to access via Chrome, you can try via Firefox and see if that generates a different result. Let us know.

By the way, can you confirm the guide that you used when you trusted your root CA on this client?

“By the way, can you confirm the guide that you used when you trusted your root CA on this client?”

Sorry I don’t understand your question. Which client? I used the user manual instructions to download the crt. file to my Chromebook(http://start.local)and then emailed it to me and downloaded to my cloud drive on the Chromebook. The only other device I trusted is my Android phone and that was successful. I was just trying to run the https function on my Chromebook browser when the error message appeared.

Sorry for the confusion. By “client” I meant the Chromebook.

What I meant was could you point me to the guide you used so we can be sure you followed all the necessary steps? For example, we have a specific guide for Trusting Your Root CA on Android. Knowing ChromeOS is a Linux distro, did you use one of the Trusting Your Root CA on Linux guides?

It is helpful to know that you didn’t encounter the issue on your Android phone. I think trying a different browser on your Chromebook as suggested earlier could be worthwhile too, as if you don’t encounter the NET_ERR_CERT_AUTHORITY_INVALID in the other browser, you could use it moving forward.

The first device I set up was my Android phone and when I opened a Chrome browser on the phone and entered the HTTPS function it opened my start9 server. I just thought that the browser on my Chromebook would automatically work.

I’m going to try to set up Firefox on the Chromebook and see if I can get it to fly. Any suggestions on doing that would be appreciated.

I finished for today. more fun tomorrow. I’ll start with my WIN laptop, then onto my dual boot ZorinOS, and try to set that up. If I never get the Chromebook working that’s OK too.

Thanks for the helpful response. You will definitely need to complete a separate trust root CA process on every client device (e.g., Android phone, Chromebook, WIN laptop, etc.) that you access StartOS from.

I am double checking the right guide for you to follow to get it set up on the Chromebook. As mentioned yesterday, we do have standard Debian/Ubuntu instructions available here. ChromeOS is based on Linux, and the Linux instructions rely on terminal, which is available in ChromeOS. Therefore, it might be worth a shot, but I have asked the broader team to confirm that for us.

Meanwhile, you will find all the standard device guides (for various Linux distros, Windows, etc.) in this section of the docs.

Hope this helps!

Brave app and Firefox app from Play store won’t work. However, Brave has a Linux download for Chromebook. The Linux feature on Chromebook needs to be activated. I tried it but all you get is a terminal as far as I can tell, and doesn’t allow your Linux Trust to be implemented because can’t CD to /Documents. Or at least I’m not smart enough to figure it out. :crazy_face::exploding_head:

When you say Brave and Firefox apps from the Play store “won’t work,” do you mean you’re struggling to get them downloaded onto your Chromebook? Or unable to access https://adjective-noun.local in them? If it’s the latter, that is expected since you haven’t trusted the root CA on the Chromebook.

I did hear back from the senior techs on this and it does sound like we don’t have an official support path for Chromebook, unfortunately. It could be worth looking into wiping ChromeOS and installing a Linux distro like Debian, Ubuntu, CentOS, Fedora, etc.

That would obviously be a larger project though and potentially beyond the scope of what you set out to do originally.

If you want to try trusting the root CA on another client device such as your Windows or ZorinOS device, that could be the path of least resistance at this point.

Hope this helps.

Using the Firefox and Brave apps from the play store won’t access the HTTPS:// function.
At this point, I don’t need to be concerned about the Chromebook.
WIN 11 is up and running and I’m off to see the wizard for Zorin.
I appreciate the help and will let you know if I’m successful with Zorin.

Having issues with Linux install. Instead of returning a “1 added” response on the command line in the terminal, it returns this.

Here is the process I followed with the adjective-noun edited to xxx-xxx.

doug@doug-Latitude-5400:~$ cd ~/Downloads
doug@doug-Latitude-5400:~/Downloads$ sudo mkdir -p /usr/share/ca-certificates/start9
doug@doug-Latitude-5400:~/Downloads$ sudo cp “xxx-xxx.crt” /usr/share/ca-certificates/start9/
doug@doug-Latitude-5400:~/Downloads$ sudo bash -c “echo ‘start9/xxx-xxx.crt’ >> /etc/ca-certificates.conf”
doug@doug-Latitude-5400:~/Downloads$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs…
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…

It does say “1 added” so it looks like you’ve added the CA cert to the system trust store. Now you’ll need to configure firefox to look at the system trust store:

Make sure you click the “Debian/Ubuntu” tab to get that version of the Firefox guide.

I cannot get the Chrome browser to function with HTTPS:

I was able to turn off the firewall in Zorin and get Firefox to get to the Login to StartOS. However, when I enter my password it reply’s “Gateway Timeout”

NOTICE FIREFOX -It’s now working with Firefox. I had to remove the Firewall and the VPN for Firefox to work.

NOTICE CHROME -It throws up an “unsafe site” warning when I use the Chrome Browser and when I proceed anyway it opens the login to StartOS but the URL is flagged as Not Secure.

It seems Chrome on linux also doesn’t look at the system trust store. I think you’ll have to manually import the CA cert there.

  1. Visit chrome://settings/certificates in Chrome
  2. Select the Authorities tab
  3. Select Import
  4. Find and Select your adjective-noun.crt file
  5. Check “Trust this certificate for identifying websites”
  6. Select OK

It should now be trusted in Chrome.

Which VPN are you using? You may need to go into its settings and allow local requests to not be forwarded through the VPN, which varies in the software from provider to provider.

I’m in ZorinOS with a chrome browser open and when I get to Select Import it returns “Certificate Import Error” The Private Key for this Client Certificate is missimg or invalid.

Could you elaborate a bit on the error? It’s not clear to me if you are getting the certificate import before or after finding and selecting your adjective-noun.crt file. Any screenshots that could communicate the error would also be helpful.

I am looking into what that missing private key could mean.

It’s occurring after. I can’t provide a screenshot without exposing my crt address.
It’s happening after step 4 in the instructions George sent in his post.

Thanks for confirming. I’ll flag to George to see what he thinks.

You missed step 2 - Select “Authorities” instead of “Your certificates”!

I did miss that step. I’ve now followed your instructions. The Chrome browser will not open that URL. “Your connection to that site is not secure” This is using a Chromebook as the client.

And I’m using Proton VPN.

I just turned off the VPN and the URL https: opens right up. So it looks like the VPN is causing an issue.

Went into VPN settings and flipped a LAN switch “on” and now with the VPN running the HTTPS function opens the server immediately. Thanks for the help.