-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Self signed certificate no longer valid as of Chrome 58 #854
Comments
Based on e97741c and https://security.stackexchange.com/a/91556 I believe this could be regenerated with something like: openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout server.pem \
-new \
-out server.pem \
-subj /CN=localhost \
-reqexts SAN \
-config <(cat /System/Library/OpenSSL/openssl.cnf \
<(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
-sha256 \
-days 3650 On OSX. It also might be possible to take As part of this fix, it may be useful to commit the script used to generate the cert in case it needs to be regenerated again. |
Apparently this fix works also for Chrome 57. Thx @johnboxall! |
For those who may happen upon this via Google, I also had to set openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout server.pem \
-new \
-out server.pem \
-subj /CN=localhost \
-reqexts SAN \
-extensions SAN \
-config <(cat /System/Library/OpenSSL/openssl.cnf \
<(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
-sha256 \
-days 3650 |
I've used that command, but still getting ERR_CERT_AUTHORITY_INVALID on Chrome 58. Adding it to Chrome doesn't work because of "Not a Certification Authority" error message. Any idea how to fix this? |
I don't know what platform you are on, but assuming you are on OSX, you need to follow these instructions to manually trust self signed certificates. http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.WPpqZFKZNE4 FWIW I followed the instructions from @jesstelford above, then manually re-trusted the new certificate following instructions similar to above link, and I'm now all good. My local dev server is running debian on a VM in my mac, so I did have to change I already had a key file, so here are the instructions above modified to use an existing key:
|
Time to migrate away from chrome.... with the latest update chrome is violating RFC2818. |
The methods above works for me with Chrome. But I ran into some new issues.
Does anyone have some ideas on how to resolve the firefox issue? |
Facing the same issue as @stephanvierkant mentioned here - #854 (comment) Appreciate any work around for this please. |
https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58 |
What about Windows? @johnboxall |
@lewis617 mingw git comes with an openssl binary (/mingw64/bin/openssl), use that. Copy |
@RakeshMangroliya this script did not work for me. It did fix IIS Express cert issues, but it did not fix the cert bundled with webpack-dev-server |
Hi Please use this script and let me know. or provide me port no for webpack-dev-server you are using. |
@ianfitzpatrick Thanks for your help! Combining some stuff with others from @jesstelford I was able to edit the cert that comes with webpack-dev-server to have the SAN without invalidating the cert my whole team has already added to their trusted store. All of this was a hassle as a windows user. I couldn't get the
|
Here is a Windows script to generate the self-signed certificate with openssl: It will create these files: example.cnf, example.crt, example.key |
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID See webpack/webpack-dev-server#854 Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml @@ -8,12 +16,12 @@ - name: Self-signed certificate and private key created tags: [selfsigned-cert-created] command: > - openssl req -new + openssl req + -config "{{ role_path }}/build/openssl-req.cnf" + -newkey rsa:2048 -x509 -nodes - -extensions v3_ca -days 3650 - -subj "/" -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID See webpack/webpack-dev-server#854 Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml @@ -8,12 +16,12 @@ - name: Self-signed certificate and private key created tags: [selfsigned-cert-created] command: > - openssl req -new + openssl req + -config "{{ role_path }}/build/openssl-req.cnf" + -newkey rsa:2048 -x509 -nodes - -extensions v3_ca -days 3650 - -subj "/" -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID See webpack/webpack-dev-server#854 Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml @@ -8,12 +16,12 @@ - name: Self-signed certificate and private key created tags: [selfsigned-cert-created] command: > - openssl req -new + openssl req + -config "{{ role_path }}/build/openssl-req.cnf" + -newkey rsa:2048 -x509 -nodes - -extensions v3_ca -days 3650 - -subj "/" -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID See webpack/webpack-dev-server#854 Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml @@ -8,12 +16,12 @@ - name: Self-signed certificate and private key created tags: [selfsigned-cert-created] command: > - openssl req -new + openssl req + -config "{{ role_path }}/build/openssl-req.cnf" + -newkey rsa:2048 -x509 -nodes - -extensions v3_ca -days 3650 - -subj "/" -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID See webpack/webpack-dev-server#854 Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml @@ -8,12 +16,12 @@ - name: Self-signed certificate and private key created tags: [selfsigned-cert-created] command: > - openssl req -new + openssl req + -config "{{ role_path }}/build/openssl-req.cnf" + -newkey rsa:2048 -x509 -nodes - -extensions v3_ca -days 3650 - -subj "/" -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID See webpack/webpack-dev-server#854 Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml @@ -8,12 +16,12 @@ - name: Self-signed certificate and private key created tags: [selfsigned-cert-created] command: > - openssl req -new + openssl req + -config "{{ role_path }}/build/openssl-req.cnf" + -newkey rsa:2048 -x509 -nodes - -extensions v3_ca -days 3650 - -subj "/" -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
That commit is in the latest version, yes. |
Here is a solution that works for me: https://ram.k0a1a.net/self-signed_https_cert_after_chrome_58 Tested on Debian/Apache2.4 + Debian/Chromium 59 |
So the cert generated by dev server automatically still doesn't work with latest Chrome? |
@afhole not sure where you got that. works fine for me. |
@shellscape Oh cool, glad it's sorted. In 2.7.1 I am still getting |
@afhole I'm not sure about that one I'm afraid. |
@shellscape Sorry, just to clarify - you no longer have errors with |
Correct |
With |
We're unable to upgrade to 2.7.1 currently. Any cross-platform guidance? I've tried several guides/openssl cert/key generation. |
This fixes webpack#854 and webpack#906 by adding a subjectAltName matching the commonName for the self-signed cert.
Kept getting error when trying to load page in Chrome. Found this help: webpack/webpack-dev-server#854
Adding "-extensions SAN" per jesstelford's comment on webpack/webpack-dev-server#854
I am facing the issue. Whatever I can try doesn't work, I still have this ERR_CERT_AUTHORITY_INVALID after any solution I apply from the net. |
@paillave Chrome has some cache issue with certificates. Try reboot your computer or remove the cert cache and then reboot |
@paillave FWIW I still can't get it to work in Chrome 61/macOS 10.12.6, not sure what else to try |
Finally I got this to work with webpack-dev-server@2.8.2 |
You can as well add the cert using Chrome/Chromium |
Still getting issue with latest chrome and latest webpack regarding ERR_CERT_COMMON_NAME_INVALID. So I am trying generating a self signed cert. What wasn't clear from this thread is where are you placing the self signed cert ? Are you replacing the cert in node_modules/webpack-dev-server/ssl/server.pem or like this
|
I have the same problem when I use headless mode. Any body have some solution? |
@stephanvierkant managed to fix it? |
@k0a1a Thank you so much! I've spent much time on this, you just saved my day. |
This is such a bullshit issue. This doesn't increase security in my CA at all. Forcing me to add a subject alternative name? WTF are you thinking Google? I'm done with Chrome. This on top of Chrome blocking all https in 2 months... Literally insane. |
Note that generating a self-signed certificate with SAN is a lot easier than any of the long commands specified here. In particular, you do not need to know the location of the OpenSSL config file in your system. It is described in the following StackOverflow answer: |
I guess this issue is back? why was it closed? can it even be fixed or are we at the mercy of Chrome and fixing it ourselves by generating certificates? well anyway, Windows users should do this: |
@adi518 Update your version of webpack-dev-server to latest stable |
It turns out that the Subject Alt Name property is missing in the certificate, resulting in Chrome that marks the certificate as insecure. The error in chrome is misleading (net::ERR_CERT_COMMON_NAME_INVALID), though according to this post it is about the Subject Alternative Name (SAN) that is missing.
The text was updated successfully, but these errors were encountered: