Issue with new SHA256 certificates on Windows

[thrandre]

I'm submitting a bug report

webpack and webpack-dev-server version:
webpack: 2.1.0.beta-25
webpack-dev-server: 2.1.0-beta8

Please tell us about your environment:
Windows 10
Running server via CLI (https enabled)

Config:

    devServer: {
        publicPath: "http://localhost:8080/assets/",
        https: true,
        inline: true,
        contentBase: "https://localhost:44392"
    }

Current behavior:
New SHA256 certificates are reported as being invalid (The signature of the certificate cannot be verified.) on Windows 10. Browsers refuse to connect.

** Result after verification by certutil **

Issuer:
    CN=localhost
    O=webpack
    S=Some-State
    C=US
  Name Hash(sha1): c09e932a57991f558ce9c1356054b21339ebeea8
  Name Hash(md5): d385876d7cf158cfc6e6bacc097efd90
Subject:
    CN=localhost
    O=webpack
    S=Some-State
    C=US
  Name Hash(sha1): c09e932a57991f558ce9c1356054b21339ebeea8
  Name Hash(md5): d385876d7cf158cfc6e6bacc097efd90
Cert Serial Number: 8dca6301d73b9c66

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

CertContext[0][0]: dwInfoStatus=c dwErrorStatus=28
  Issuer: CN=localhost, O=webpack, S=Some-State, C=US
  NotBefore: 27.08.2016 17.31
  NotAfter: 09.01.2018 17.31
  Subject: CN=localhost, O=webpack, S=Some-State, C=US
  Serial: 8dca6301d73b9c66
  Cert: 5117f06a1d761f80eabb34f7385e3d86721effed
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
  Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

Exclude leaf cert:
  Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
  Chain: 5117f06a1d761f80eabb34f7385e3d86721effed
  Issuer: CN=localhost, O=webpack, S=Some-State, C=US
  NotBefore: 27.08.2016 17.31
  NotAfter: 09.01.2018 17.31
  Subject: CN=localhost, O=webpack, S=Some-State, C=US
  Serial: 8dca6301d73b9c66
  Cert: 5117f06a1d761f80eabb34f7385e3d86721effed
The signature of the certificate cannot be verified. 0x80096004 (-2146869244 TRUST_E_CERT_SIGNATURE)
------------------------------------
CertUtil: -verify command FAILED: 0x80096004 (-2146869244 TRUST_E_CERT_SIGNATURE)
CertUtil: The signature of the certificate cannot be verified.

[SpaceK33z]

So to be clear, this prevents you from connecting at all? Even if you click "Next" (or something like that) and continue "unsecure"?

[thrandre]

That is correct. Neither Chrome or IE even provide such an option.

[ms-denver]

I can get firefox to proceed by adding an exception. This will get me over the hurdle for now until it is fixed.

[SpaceK33z]

Reproduced the problem in Windows, and verified that it was fixed with e97741c. Fix released in 2.1.0-beta.10!

[stoffeastrom]

I just tried this but I get NET::ERR_CERT_AUTHORITY_INVALID. Do I have to do something more?

[SpaceK33z]

But you can click on something like continue, right? The cert authority is invalid because it's a fake cert.

[stoffeastrom]

Oh yes, I forgot that I have to click Advanced -> continue to unsecure.. bl bla thanks