jwagner010 Posted July 24, 2023 Posted July 24, 2023 I upgraded my POLISY from PG3 to PG3X over the weekend. A few issues with a couple of the Node Servers not converting correctly that I was able to resolve and get up and running. The one thing I cannot resolve is after the upgrade I cannot login into PG3X from my work computer (I have always used my work computer for logging into PG3 in the past). Now when I go to log into PG3X I get an error in the browser telling me my connection is not private that when Chrome tried to connect the website sent back unusual and incorrect credentials. NET::ERR_CERT_INVALID I also tried Microsoft Edge and I get a similar error to the above. My employer locks down the browser security levels and certificates on the PC. Seems like something changed with PG3X as I cannot get past the errors above, under PG3 I was able to get to login to the PG3 portal. What would have changed and can I change anything on the PG3X/POLISY side as I cannot make changes to security settings on my PC and Chrome as its locked down? My backup is my iPad and Safari which allows me to access to PG3X still without issue but I would prefer to access PG3X on my work PC versus an iPad. Anyone got thoughts on what is going on with PG3X that is different from a certificate/access access perspective for the PG3X web interface?
Solution Javi Posted July 24, 2023 Solution Posted July 24, 2023 Try the local http option, not https. http://<address>:3000 1
jwagner010 Posted July 24, 2023 Author Posted July 24, 2023 I thought port 3000 was for https only. So you can use http or https over port 3000?
Javi Posted July 24, 2023 Posted July 24, 2023 7 minutes ago, jwagner010 said: I thought port 3000 was for https only. So you can use http or https over port 3000? Yes, but the browser defaults to https if not http is not supplied.
jwagner010 Posted July 24, 2023 Author Posted July 24, 2023 Interesting, thanks. I learned something today!!!!
jwagner010 Posted July 25, 2023 Author Posted July 25, 2023 Is there anything I can do on Polisy/PG3x side to fix the certificate issue? Eg install a let’s encrypt certificate?
Javi Posted July 25, 2023 Posted July 25, 2023 6 hours ago, jwagner010 said: Is there anything I can do on Polisy/PG3x side to fix the certificate issue? Eg install a let’s encrypt certificate? I don't believe we have a method to add your own cert to PG3x. In most cases a trusted ssl cert is only needed for direct remote connections, however I would not recommend opening a port to expose ISY/PG3 outside of your home network. If you want encryption on the local network it is safe to click through the browser warnings as you know the site is correct. If there is a MitM attack on your local network you have bigger issues. The browser needs to trust the cert, so all self signed certs would have the same issues. You could trust the cert on the client (PC) like this, although if I recall correctly PG3 creates a new cert on restart. This is no safer than clicking through the warnings when on the local network. This is the same for ISY except the http and https ports are split port 8080 http and 8443 https. We recommend using VPN or Portal for remote connections. VPN uses a cert for the tunnel so this solves the issue for all local devices without needing a unique cert for each device on the local network. UD Mobile can access PG3 from portal for remote connections, but we don't yet have a remote web version.
bpwwer Posted July 25, 2023 Posted July 25, 2023 6 hours ago, jwagner010 said: Is there anything I can do on Polisy/PG3x side to fix the certificate issue? Eg install a let’s encrypt certificate? No, not at this time. the Polisy/eisy is set up to use self-signed certificates for most of the communication between components. This includes communication between node servers and PG3x so those certificates need to be created every time a node server is installed. We can't easily use something like let's encrypt to generate these because you need an public IP address/DNS resolvable system name to use let's encrypt and that's something user's would have to have set up for their network before it would work. For some, setting up things to work with let's encrypt isn't difficult but for others it can be a real challenge and making it a requirement to use the Polisy/eisy would be bad for business
Recommended Posts