MAC Web Sockets Expired DST Root CA X3

We are unable to connect noVnc web socket secure using a developers mac computer to the new certificate; it was working prior to the Expired DST. It shows it is using the proper certificate but the connection does not work. Any ideas? We need a server side solution if at all possible.

We generated the cert using the certify the web desktop application. We then export .pfx from IIS and use SSL Converter to convert pkcs#12 to PEM. The .key and .crt files are then used for wss connection to NoVNC webviewer. This method works on MacOSMojave(an older dev machine) but is not working on BigSur latest release.

You could try installing the ISRG Root X1 certificate onto the dev machine:

Alternatively, change Certificate Authority: Certificate Authorities | Certify The Web Docs

Note that Certify The Web has a built in set of certificate export tasks (under Tasks), such as Deploy to Generic Server, so you don’t usually have to use other tools to convert certificates.

We have now discovered it is an issue with wss not with novnc. Websocket creation to the cert is failing. We can not be the only people with this issue.

You need to confirm that your certificate configuration includes a “chain” - this is the list of intermediate certificates that make up the path back to the trusted root certificate and if you don’t configure that then clients (macos etc) have to guess the intermediate certificates and they probably get it wrong. So when you convert your PFX you need to export the full chain (Your Cert > R3 issued by ISRG Root X1) usually as a pem file.

Can you provide an example domain and service details to check the chain being served?