Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Self signed certificate no longer valid as of Chrome 58 #854

Closed
PaulTondeur opened this issue Mar 20, 2017 · 43 comments
Closed

Self signed certificate no longer valid as of Chrome 58 #854

PaulTondeur opened this issue Mar 20, 2017 · 43 comments

Comments

@PaulTondeur
Copy link

@PaulTondeur PaulTondeur commented Mar 20, 2017

It turns out that the Subject Alt Name property is missing in the certificate, resulting in Chrome that marks the certificate as insecure. The error in chrome is misleading (net::ERR_CERT_COMMON_NAME_INVALID), though according to this post it is about the Subject Alternative Name (SAN) that is missing.

@johnboxall
Copy link

@johnboxall johnboxall commented Mar 21, 2017

Based on e97741c and https://security.stackexchange.com/a/91556 I believe this could be regenerated with something like:

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.pem \
    -new \
    -out server.pem \
    -subj /CN=localhost \
    -reqexts SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
    -sha256 \
    -days 3650

On OSX.

It also might be possible to take ssl/server.pem add run it through https://certificatetools.com/, then add an subjectAltName=DNS:localhost.

As part of this fix, it may be useful to commit the script used to generate the cert in case it needs to be regenerated again.

@ream88
Copy link

@ream88 ream88 commented Mar 31, 2017

Apparently this fix works also for Chrome 57. Thx @johnboxall!

@jesstelford
Copy link

@jesstelford jesstelford commented Apr 7, 2017

For those who may happen upon this via Google, I also had to set -extensions SAN to get @johnboxall's command to work:

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.pem \
    -new \
    -out server.pem \
    -subj /CN=localhost \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
    -sha256 \
    -days 3650
@stephanvierkant
Copy link

@stephanvierkant stephanvierkant commented Apr 20, 2017

I've used that command, but still getting ERR_CERT_AUTHORITY_INVALID on Chrome 58. Adding it to Chrome doesn't work because of "Not a Certification Authority" error message.

Any idea how to fix this?

@ianfitzpatrick
Copy link

@ianfitzpatrick ianfitzpatrick commented Apr 21, 2017

@stephanvierkant

I don't know what platform you are on, but assuming you are on OSX, you need to follow these instructions to manually trust self signed certificates.

http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.WPpqZFKZNE4

FWIW I followed the instructions from @jesstelford above, then manually re-trusted the new certificate following instructions similar to above link, and I'm now all good.

My local dev server is running debian on a VM in my mac, so I did have to change /System/Library/OpenSSL/openssl.cnf to /usr/lib/ssl/openssl.cnf

I already had a key file, so here are the instructions above modified to use an existing key:

openssl req \
    -key server.local.key \
    -x509 \
    -nodes \
    -new \
    -out server.local.crt \
    -subj /CN=server.local \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /usr/lib/ssl/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:server.local')) \
    -sha256 \
    -days 3650
@chibisuke
Copy link

@chibisuke chibisuke commented Apr 27, 2017

Time to migrate away from chrome.... with the latest update chrome is violating RFC2818.

@zijuexiansheng
Copy link

@zijuexiansheng zijuexiansheng commented May 2, 2017

The methods above works for me with Chrome. But I ran into some new issues.

  1. I cannot install the self-signed certificate on Firefox. And if I install it on iphone, it's not trusted.
  2. I added basicConstraints=CA:TRUE,pathlen:0 to the openssl.cnf file. Not it works perfectly for iphone. I can also import it to firefox. But the problem is that I cannot load my webpage with firefox

Does anyone have some ideas on how to resolve the firefox issue?

@CreativeWolf
Copy link

@CreativeWolf CreativeWolf commented May 2, 2017

Facing the same issue as @stephanvierkant mentioned here - #854 (comment)

Appreciate any work around for this please.

@lehne
Copy link

@lehne lehne commented May 2, 2017

tiblu added a commit to citizenos/citizenos-fe that referenced this issue May 3, 2017
@lewis617
Copy link

@lewis617 lewis617 commented May 4, 2017

What about Windows? @johnboxall

@RakeshMangroliya
Copy link

@RakeshMangroliya RakeshMangroliya commented May 15, 2017

Hello All

please use below mention solution work for Chrome + 58 and IISexpress 10.

please follow below steps

#1. run command prompt as administrator rights

#2 .type powershell -> enter

#3. now provide path of powershell script which i have attached

#4 .run it.

5464-iisexpress.zip

@szkrd
Copy link

@szkrd szkrd commented May 15, 2017

@lewis617 mingw git comes with an openssl binary (/mingw64/bin/openssl), use that. Copy /usr/ssl/openssl.cnf to somewhere else, add the two extra lines ([SAN]...) and use the -config param with the customized cnf, the rest of the params are the same as above mentioned. Hope it works!

@DBosley
Copy link

@DBosley DBosley commented May 16, 2017

@RakeshMangroliya this script did not work for me. It did fix IIS Express cert issues, but it did not fix the cert bundled with webpack-dev-server

@RakeshMangroliya
Copy link

@RakeshMangroliya RakeshMangroliya commented May 17, 2017

@DBosley

Hi

Please use this script and let me know. or provide me port no for webpack-dev-server you are using.
IISexpress.zip

@DBosley
Copy link

@DBosley DBosley commented May 17, 2017

@ianfitzpatrick Thanks for your help! Combining some stuff with others from @jesstelford I was able to edit the cert that comes with webpack-dev-server to have the SAN without invalidating the cert my whole team has already added to their trusted store.

All of this was a hassle as a windows user. I couldn't get the <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:server.local')) part of the command to work in powershell, so I just ended up adding this section to my cnf file and removing it after I was done:

[SAN]
subjectAltName=DNS:server.local
@wilga
Copy link

@wilga wilga commented May 18, 2017

Here is a Windows script to generate the self-signed certificate with openssl:
makeCert.bat

It will create these files: example.cnf, example.crt, example.key

cdosborn added a commit to cdosborn/ansible-tls-cert that referenced this issue May 19, 2017
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID
See webpack/webpack-dev-server#854

Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY

diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml
@@ -8,12 +16,12 @@
 - name: Self-signed certificate and private key created
   tags: [selfsigned-cert-created]
   command: >
-    openssl req -new
+    openssl req
+    -config "{{ role_path }}/build/openssl-req.cnf"
+    -newkey rsa:2048
     -x509
     -nodes
-    -extensions v3_ca
     -days 3650
-    -subj "/"
     -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key
     -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
cdosborn added a commit to cdosborn/ansible-tls-cert that referenced this issue May 19, 2017
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID
See webpack/webpack-dev-server#854

Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY

diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml
@@ -8,12 +16,12 @@
 - name: Self-signed certificate and private key created
   tags: [selfsigned-cert-created]
   command: >
-    openssl req -new
+    openssl req
+    -config "{{ role_path }}/build/openssl-req.cnf"
+    -newkey rsa:2048
     -x509
     -nodes
-    -extensions v3_ca
     -days 3650
-    -subj "/"
     -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key
     -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
cdosborn added a commit to cdosborn/ansible-tls-cert that referenced this issue May 19, 2017
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID
See webpack/webpack-dev-server#854

Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY

diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml
@@ -8,12 +16,12 @@
 - name: Self-signed certificate and private key created
   tags: [selfsigned-cert-created]
   command: >
-    openssl req -new
+    openssl req
+    -config "{{ role_path }}/build/openssl-req.cnf"
+    -newkey rsa:2048
     -x509
     -nodes
-    -extensions v3_ca
     -days 3650
-    -subj "/"
     -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key
     -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
cdosborn added a commit to cdosborn/ansible-tls-cert that referenced this issue May 22, 2017
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID
See webpack/webpack-dev-server#854

Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY

diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml
@@ -8,12 +16,12 @@
 - name: Self-signed certificate and private key created
   tags: [selfsigned-cert-created]
   command: >
-    openssl req -new
+    openssl req
+    -config "{{ role_path }}/build/openssl-req.cnf"
+    -newkey rsa:2048
     -x509
     -nodes
-    -extensions v3_ca
     -days 3650
-    -subj "/"
     -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key
     -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
cdosborn added a commit to cdosborn/ansible-tls-cert that referenced this issue May 22, 2017
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID
See webpack/webpack-dev-server#854

Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY

diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml
@@ -8,12 +16,12 @@
 - name: Self-signed certificate and private key created
   tags: [selfsigned-cert-created]
   command: >
-    openssl req -new
+    openssl req
+    -config "{{ role_path }}/build/openssl-req.cnf"
+    -newkey rsa:2048
     -x509
     -nodes
-    -extensions v3_ca
     -days 3650
-    -subj "/"
     -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key
     -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
cdosborn added a commit to cdosborn/ansible-tls-cert that referenced this issue May 22, 2017
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID
See webpack/webpack-dev-server#854

Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY

diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml
@@ -8,12 +16,12 @@
 - name: Self-signed certificate and private key created
   tags: [selfsigned-cert-created]
   command: >
-    openssl req -new
+    openssl req
+    -config "{{ role_path }}/build/openssl-req.cnf"
+    -newkey rsa:2048
     -x509
     -nodes
-    -extensions v3_ca
     -days 3650
-    -subj "/"
     -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key
     -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
@shellscape
Copy link
Contributor

@shellscape shellscape commented Aug 9, 2017

That commit is in the latest version, yes.

@k0a1a
Copy link

@k0a1a k0a1a commented Aug 10, 2017

Here is a solution that works for me:

https://ram.k0a1a.net/self-signed_https_cert_after_chrome_58

Tested on Debian/Apache2.4 + Debian/Chromium 59

@afhole
Copy link

@afhole afhole commented Aug 10, 2017

So the cert generated by dev server automatically still doesn't work with latest Chrome?

@shellscape
Copy link
Contributor

@shellscape shellscape commented Aug 10, 2017

@afhole not sure where you got that. works fine for me.

@afhole
Copy link

@afhole afhole commented Aug 10, 2017

@shellscape Oh cool, glad it's sorted. In 2.7.1 I am still getting ERR_CERT_COMMON_NAME_INVALID I wonder if I have the cert cached somewhere? Is there anything I need to do to clear the cache and generate a new cert?

@shellscape
Copy link
Contributor

@shellscape shellscape commented Aug 10, 2017

@afhole I'm not sure about that one I'm afraid.

@afhole
Copy link

@afhole afhole commented Aug 10, 2017

@shellscape Sorry, just to clarify - you no longer have errors with Subject Alternative Name missing and ERR_CERT_COMMON_NAME_INVALID? I just deleted ssl/server.pem and it regenerated, to no avail.

@shellscape
Copy link
Contributor

@shellscape shellscape commented Aug 10, 2017

Correct

@afhole
Copy link

@afhole afhole commented Aug 10, 2017

With localhost right? Has anyone else had success/failure with 2.7.1?

@accentureChris
Copy link

@accentureChris accentureChris commented Aug 14, 2017

We're unable to upgrade to 2.7.1 currently. Any cross-platform guidance? I've tried several guides/openssl cert/key generation.

paulca added a commit to paulca/webpack-dev-server that referenced this issue Aug 16, 2017
This fixes webpack#854 and webpack#906 by adding a subjectAltName matching
the commonName for the self-signed cert.
stphnlee added a commit to stphnlee/stphnlee.github.io that referenced this issue Sep 14, 2017
Kept getting error when trying to load page in Chrome. Found this help:

 webpack/webpack-dev-server#854
stphnlee added a commit to stphnlee/stphnlee.github.io that referenced this issue Sep 14, 2017
Adding "-extensions SAN" per jesstelford's comment on webpack/webpack-dev-server#854
@paillave
Copy link

@paillave paillave commented Sep 24, 2017

I am facing the issue. Whatever I can try doesn't work, I still have this ERR_CERT_AUTHORITY_INVALID after any solution I apply from the net.
Something puzzles me: why IISExpress doesn't face this issue? If I get it well, if IIS Express work, this means that, as a matter of a fact, it is possible to provide a certificate that can be accepted by chrome. Why the certificate provided by webpack-dev-server is refused even if it is trusted? BTW, I don't believe we should even create a certificate ourselves for a development server.

@zijuexiansheng
Copy link

@zijuexiansheng zijuexiansheng commented Sep 24, 2017

@paillave Chrome has some cache issue with certificates. Try reboot your computer or remove the cert cache and then reboot

@afhole
Copy link

@afhole afhole commented Sep 25, 2017

@paillave FWIW I still can't get it to work in Chrome 61/macOS 10.12.6, not sure what else to try

@afhole
Copy link

@afhole afhole commented Sep 25, 2017

Finally I got this to work with webpack-dev-server@2.8.2
I loaded it in Safari and set it to Always Trust for SSL and now it works in Chrome.
It shows as a root CA, is that correct?

@k0a1a
Copy link

@k0a1a k0a1a commented Sep 27, 2017

You can as well add the cert using Chrome/Chromium
https://ram.k0a1a.net/self-signed_https_cert_after_chrome_58#add_cert_to_the_browser
(although I'm not sure if it works on OSX the same way it does on Linux)

@stevenfitzpatrick
Copy link

@stevenfitzpatrick stevenfitzpatrick commented Sep 30, 2017

Still getting issue with latest chrome and latest webpack regarding ERR_CERT_COMMON_NAME_INVALID.

So I am trying generating a self signed cert.

What wasn't clear from this thread is where are you placing the self signed cert ?

Are you replacing the cert in node_modules/webpack-dev-server/ssl/server.pem or like this

https: {
      ca: fs.readFileSync('server.pem')
    },
@wenJanus
Copy link

@wenJanus wenJanus commented Nov 20, 2017

I have the same problem when I use headless mode. Any body have some solution?
09:24:07.722 DEBUG selenium-nodejs.HomePage: navigate
[1120/092408.090:VERBOSE1:network_delegate.cc(31)] NetworkDelegate::NotifyBeforeURLRequest: https://localhost/home
[1120/092408.403:VERBOSE1:navigator_impl.cc(242)] Failed Provisional Load: https://localhost/home, error_code: -501, error_description: , showing_repost_interstitial: 0, frame_id: 1

@mehrdad-shokri
Copy link

@mehrdad-shokri mehrdad-shokri commented Feb 18, 2018

@stephanvierkant managed to fix it?

@baoanhng
Copy link

@baoanhng baoanhng commented Mar 14, 2018

@k0a1a Thank you so much! I've spent much time on this, you just saved my day.

@czebiniak
Copy link

@czebiniak czebiniak commented Mar 16, 2018

This is such a bullshit issue. This doesn't increase security in my CA at all. Forcing me to add a subject alternative name? WTF are you thinking Google? I'm done with Chrome. This on top of Chrome blocking all https in 2 months... Literally insane.

@vog
Copy link

@vog vog commented Nov 24, 2018

Note that generating a self-signed certificate with SAN is a lot easier than any of the long commands specified here. In particular, you do not need to know the location of the OpenSSL config file in your system. It is described in the following StackOverflow answer:

@adi518
Copy link

@adi518 adi518 commented Mar 13, 2020

I guess this issue is back? why was it closed? can it even be fixed or are we at the mercy of Chrome and fixing it ourselves by generating certificates? well anyway, Windows users should do this:

  • Grab OpenSSL for Windows.
  • Add binary to PATH environment variable, as the installer doesn't do that.
  • Restart your CLI, type openssl and it should work.
  • Grab @wilga batch file, set HOSTNAME and execute.
  • Import into Chrome (Settings -> search "Manage certificates").
@evilebottnawi
Copy link
Member

@evilebottnawi evilebottnawi commented Mar 13, 2020

@adi518 Update your version of webpack-dev-server to latest stable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

You can’t perform that action at this time.