The USS Gateway uses the industry-standard OpenSSL certificate libraries, which are maintained by Ubuntu, and on very rare occasions the libraries may be missing a Root or Intermediate certificate signed by the certificate authority (CA). If the below message has been displayed to a user via the USS Gateway, then the website the user has connected to is using a certificate that has been signed by a CA that is not installed USS Gateway.
There are two approaches to resolving the problem. Before you begin, download a copy of the required certificate from the root CA provider. The provider is detailed in the Diagnostic Detail section, for example in the screenshot above the last line indicates it is missing the certificate named GeoTrust RSA CA 2018. Most certificate issuers will have a website where you can download that exact certificate from after searching for the certificate name. In this case, the certificate can be found at https://www.digicert.com/digicert-root-certificates.htm
Solution Method 1 - Importing a Certificate
1. Once you have the required certificate use WinSCP (or similar) to copy the certificate onto the USS Gateway server. Place the file in the /tmp directory as this directory will not present permission problems when uploading (you will need to use the command line administrator account you created during the installation of the gateway to access the server with WinSCP).
2. Once the file has been copied to /tmp connect to the USS Gateway via Putty (or similar) and login with the credentials again, then switch to the root account by typing: sudo su When prompted, enter the password again.
3. Now move the certificate to the /usr/local/share/ca-certificates directory by running the command:
| mv /tmp/insertcertificatename /usr/local/share/ca-certificates |
4. Update the certificate store by running the command
| update-ca-certificates --fresh |
5. Now stop and start the proxy service:
This will interupt web browsing for any connected usersOn Ubuntu 16.04 (USS Gateway version 1.1.x/1.2.x)
| systemctl stop uss-squid5 systemctl start uss-squid5 |
On Ubuntu 14.04 (USS Gateway version 1.0.x)
| service uss-squid stop service uss-squid start |
6. The website should now be working providing the correct certificate has been imported
Solution Method 2 - Creating a Certificate
This method is recommended if possibleThe contents of a downloaded certificate file can be viewed when opened with a text editor
1. Log into your USS Gateway server via Putty and the command sudo su to become root user
2. Navigate to the /tmp folder by running:
| cd /tmp |
3. You now need to create the certificate file using the nano command. Please ensure this ends in .crt
| nano certname.crt |
Copy the contents of the certificate file starting with ----BEGIN CERTFICATE---- and ending with ----END CERTIFICATE----. Replace certname.crt with a name of your choice
4. Now move the certificate to the /usr/local/share/ca-certificates directory by running the command:
| cp /tmp/certname.crt /usr/local/share/ca-certificates |
Replace certname.crt with the name of the certificate you just created in step 3.
5. Update the certificate store by running the command
| update-ca-certificates --fresh |
6. Now stop and start the proxy service:
This will interupt web browsing for any connected usersOn Ubuntu 16.04 (USS Gateway version 1.1.x/1.2.x)
| systemctl stop uss-squid5 systemctl start uss-squid5 |
On Ubuntu 14.04 (USS Gateway version 1.0.x)
| service uss-squid stop service uss-squid start |
7. The website should now be working providing the correct certificate has been imported
Please contact Censornet Technical Support if you continue to have issues after attempting both of these steps