Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Certificate is not standards compliant" on macOS Catalina #174

Open
selfagency opened this issue Jul 6, 2019 · 8 comments

Comments

Projects
None yet
6 participants
@selfagency
Copy link

commented Jul 6, 2019

Under MacOS Catalina Public Beta 2, after installing mkcert via Homebrew and running the root certificate installer, my mkcert generated certificates are rejected in Safari with the message 'Certificate is not standards compliant' and in Chrome with 'ERR_CERT_REVOKED'.

@FiloSottile

This comment has been minimized.

Copy link
Owner

commented Jul 6, 2019

Looks like it's a new limit on maximum lifespan. See https://support.apple.com/en-us/HT210176.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

It's surprising they would enforce it on private roots, honestly.

I am mildly tempted to fake the notBefore, but one way or another I need to fix it soon, or a bunch of certificates will be generated that will stop working after updating to Catalina.

BTW, if you try Chrome Canary it should give you a better error message.

@FiloSottile FiloSottile changed the title "Certificate is not standards compliant" "Certificate is not standards compliant" on macOS Catalina Jul 6, 2019

@FiloSottile FiloSottile pinned this issue Jul 6, 2019

FiloSottile added a commit that referenced this issue Jul 6, 2019

@FiloSottile

This comment has been minimized.

Copy link
Owner

commented Jul 6, 2019

I opted to backdate the notBefore until the ACME server is implemented. Once ACME is an option, automation should reduce the need for long lifespans.

@selfagency Please test the latest master (brew install mkcert --HEAD), and let me know. If it works, I'll push a new version ASAP so we can minimize the number of doomed certificates that will get issued.

@jarretmoses

This comment has been minimized.

Copy link

commented Jul 10, 2019

I've recently had this issue as well. Tried the HEAD install but still get rejected certs. (Just so you know @FiloSottile)

@ganapativs

This comment has been minimized.

Copy link

commented Jul 11, 2019

I'm having a same issue with Chrome on MacOS Catalina public beta 2! Interestingly certificate works on Firefox developer edition 🤷‍♂️

Tried running brew install mkcert --HEAD, but no luck!

➜ brew install mkcert --HEAD --debug
/usr/local/Homebrew/Library/Homebrew/brew.rb (Formulary::FormulaLoader): loading /usr/local/Homebrew/Library/Taps/homebrew/homebrew-core/Formula/mkcert.rb
Error: can't modify frozen String
/usr/local/Homebrew/Library/Homebrew/exceptions.rb:475:in `initialize'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:86:in `new'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:86:in `prevent_build_flags'
/usr/local/Homebrew/Library/Homebrew/cmd/install.rb:134:in `install'
/usr/local/Homebrew/Library/Homebrew/brew.rb:102:in `<main>'
➜ brew --version
Homebrew 2.1.7
Homebrew/homebrew-core (git revision 276f; last commit 2019-07-10)

Why Apple is limiting certs validity to 825(Magic number?) days though? 🤔

@selfagency

This comment has been minimized.

Copy link
Author

commented Jul 11, 2019

Same deal, unfortunately, with the head version.

NET::ERR_CERT_REVOKED
Subject: mkcert development certificate

Issuer: mkcert daniel@selfagency-macpro.local

Expires on: Jul 6, 2029

Current date: Jul 11, 2019
@adamdecaf

This comment has been minimized.

Copy link
Contributor

commented Jul 11, 2019

825 comes from the CAB forum bylaws for certificates. All of the major products and CA's follow them.

@ganapativs

This comment has been minimized.

Copy link

commented Jul 12, 2019

I'm having a same issue with Chrome on MacOS Catalina public beta 2! Interestingly certificate works on Firefox developer edition 🤷‍♂️

Tried running brew install mkcert --HEAD, but no luck!

➜ brew install mkcert --HEAD --debug
/usr/local/Homebrew/Library/Homebrew/brew.rb (Formulary::FormulaLoader): loading /usr/local/Homebrew/Library/Taps/homebrew/homebrew-core/Formula/mkcert.rb
Error: can't modify frozen String
/usr/local/Homebrew/Library/Homebrew/exceptions.rb:475:in `initialize'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:86:in `new'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:86:in `prevent_build_flags'
/usr/local/Homebrew/Library/Homebrew/cmd/install.rb:134:in `install'
/usr/local/Homebrew/Library/Homebrew/brew.rb:102:in `<main>'
➜ brew --version
Homebrew 2.1.7
Homebrew/homebrew-core (git revision 276f; last commit 2019-07-10)

Why Apple is limiting certs validity to 825(Magic number?) days though? 🤔

Manually compiling from current master using go on MacOS Catalina public beta 2 works on chrome 🎉

brew install go
go get -u github.com/FiloSottile/mkcert
$(go env GOPATH)/bin/mkcert -install
$(go env GOPATH)/bin/mkcert localhost

Screenshot 2019-07-12 at 5 42 20 pm

@RgtArRr

This comment has been minimized.

Copy link

commented Jul 12, 2019

I'm having a same issue with Chrome on MacOS Catalina public beta 2! Interestingly certificate works on Firefox developer edition 🤷‍♂️
Tried running brew install mkcert --HEAD, but no luck!

➜ brew install mkcert --HEAD --debug
/usr/local/Homebrew/Library/Homebrew/brew.rb (Formulary::FormulaLoader): loading /usr/local/Homebrew/Library/Taps/homebrew/homebrew-core/Formula/mkcert.rb
Error: can't modify frozen String
/usr/local/Homebrew/Library/Homebrew/exceptions.rb:475:in `initialize'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:86:in `new'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:86:in `prevent_build_flags'
/usr/local/Homebrew/Library/Homebrew/cmd/install.rb:134:in `install'
/usr/local/Homebrew/Library/Homebrew/brew.rb:102:in `<main>'
➜ brew --version
Homebrew 2.1.7
Homebrew/homebrew-core (git revision 276f; last commit 2019-07-10)

Why Apple is limiting certs validity to 825(Magic number?) days though? 🤔

Manually compiling from current master using go on MacOS Catalina public beta 2 works on chrome 🎉

brew install go
go get -u github.com/FiloSottile/mkcert
$(go env GOPATH)/bin/mkcert -install
$(go env GOPATH)/bin/mkcert localhost
Screenshot 2019-07-12 at 5 42 20 pm

That works for me on macOS Catalina too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.