Self signed certificate no longer valid as of Chrome 58

[PaulTondeur]

It turns out that the Subject Alt Name property is missing in the certificate, resulting in Chrome that marks the certificate as insecure. The error in chrome is misleading (net::ERR_CERT_COMMON_NAME_INVALID), though according to this post it is about the Subject Alternative Name (SAN) that is missing.

[johnboxall]

Based on e97741c and https://security.stackexchange.com/a/91556 I believe this could be regenerated with something like:

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.pem \
    -new \
    -out server.pem \
    -subj /CN=localhost \
    -reqexts SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
    -sha256 \
    -days 3650

On OSX.

It also might be possible to take ssl/server.pem add run it through https://certificatetools.com/, then add an subjectAltName=DNS:localhost.

As part of this fix, it may be useful to commit the script used to generate the cert in case it needs to be regenerated again.

[ream88]

Apparently this fix works also for Chrome 57. Thx @johnboxall!

[jesstelford]

For those who may happen upon this via Google, I also had to set -extensions SAN to get @johnboxall's command to work:

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.pem \
    -new \
    -out server.pem \
    -subj /CN=localhost \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
    -sha256 \
    -days 3650

[stephanvierkant]

I've used that command, but still getting ERR_CERT_AUTHORITY_INVALID on Chrome 58. Adding it to Chrome doesn't work because of "Not a Certification Authority" error message.

Any idea how to fix this?

[ianfitzpatrick]

@stephanvierkant

I don't know what platform you are on, but assuming you are on OSX, you need to follow these instructions to manually trust self signed certificates.

http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.WPpqZFKZNE4

FWIW I followed the instructions from @jesstelford above, then manually re-trusted the new certificate following instructions similar to above link, and I'm now all good.

My local dev server is running debian on a VM in my mac, so I did have to change /System/Library/OpenSSL/openssl.cnf to /usr/lib/ssl/openssl.cnf

I already had a key file, so here are the instructions above modified to use an existing key:

openssl req \
    -key server.local.key \
    -x509 \
    -nodes \
    -new \
    -out server.local.crt \
    -subj /CN=server.local \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /usr/lib/ssl/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:server.local')) \
    -sha256 \
    -days 3650

[chibisuke]

Time to migrate away from chrome.... with the latest update chrome is violating RFC2818.

[zijuexiansheng]

The methods above works for me with Chrome. But I ran into some new issues.

1. I cannot install the self-signed certificate on Firefox. And if I install it on iphone, it's not trusted.
2. I added basicConstraints=CA:TRUE,pathlen:0 to the openssl.cnf file. Not it works perfectly for iphone. I can also import it to firefox. But the problem is that I cannot load my webpage with firefox

Does anyone have some ideas on how to resolve the firefox issue?

[CreativeWolf]

Facing the same issue as @stephanvierkant mentioned here - #854 (comment)

Appreciate any work around for this please.

[lehne]

https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58
I used this method and it worked well.

[lewis617]

What about Windows? @johnboxall

[RakeshMangroliya]

Hello All

please use below mention solution work for Chrome + 58 and IISexpress 10.

please follow below steps

#1. run command prompt as administrator rights

#2 .type powershell -> enter

#3. now provide path of powershell script which i have attached

#4 .run it.

5464-iisexpress.zip

[szkrd]

@lewis617 mingw git comes with an openssl binary (/mingw64/bin/openssl), use that. Copy /usr/ssl/openssl.cnf to somewhere else, add the two extra lines ([SAN]...) and use the -config param with the customized cnf, the rest of the params are the same as above mentioned. Hope it works!

[DBosley]

@RakeshMangroliya this script did not work for me. It did fix IIS Express cert issues, but it did not fix the cert bundled with webpack-dev-server

[RakeshMangroliya]

@DBosley

Hi

Please use this script and let me know. or provide me port no for webpack-dev-server you are using.
IISexpress.zip

[DBosley]

@ianfitzpatrick Thanks for your help! Combining some stuff with others from @jesstelford I was able to edit the cert that comes with webpack-dev-server to have the SAN without invalidating the cert my whole team has already added to their trusted store.

All of this was a hassle as a windows user. I couldn't get the <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:server.local')) part of the command to work in powershell, so I just ended up adding this section to my cnf file and removing it after I was done:

[SAN]
subjectAltName=DNS:server.local

[wilga]

Here is a Windows script to generate the self-signed certificate with openssl:
makeCert.bat

It will create these files: example.cnf, example.crt, example.key

[shellscape]

That commit is in the latest version, yes.

[k0a1a]

Here is a solution that works for me:

https://ram.k0a1a.net/self-signed_https_cert_after_chrome_58

Tested on Debian/Apache2.4 + Debian/Chromium 59

[afhole]

So the cert generated by dev server automatically still doesn't work with latest Chrome?

[shellscape]

@afhole not sure where you got that. works fine for me.

[afhole]

@shellscape Oh cool, glad it's sorted. In 2.7.1 I am still getting ERR_CERT_COMMON_NAME_INVALID I wonder if I have the cert cached somewhere? Is there anything I need to do to clear the cache and generate a new cert?

[shellscape]

@afhole I'm not sure about that one I'm afraid.

[afhole]

@shellscape Sorry, just to clarify - you no longer have errors with Subject Alternative Name missing and ERR_CERT_COMMON_NAME_INVALID? I just deleted ssl/server.pem and it regenerated, to no avail.

[shellscape]

Correct

[afhole]

With localhost right? Has anyone else had success/failure with 2.7.1?

[accentureChris]

We're unable to upgrade to 2.7.1 currently. Any cross-platform guidance? I've tried several guides/openssl cert/key generation.

[paillave]

I am facing the issue. Whatever I can try doesn't work, I still have this ERR_CERT_AUTHORITY_INVALID after any solution I apply from the net.
Something puzzles me: why IISExpress doesn't face this issue? If I get it well, if IIS Express work, this means that, as a matter of a fact, it is possible to provide a certificate that can be accepted by chrome. Why the certificate provided by webpack-dev-server is refused even if it is trusted? BTW, I don't believe we should even create a certificate ourselves for a development server.

[zijuexiansheng]

@paillave Chrome has some cache issue with certificates. Try reboot your computer or remove the cert cache and then reboot

[afhole]

@paillave FWIW I still can't get it to work in Chrome 61/macOS 10.12.6, not sure what else to try

[afhole]

Finally I got this to work with webpack-dev-server@2.8.2
I loaded it in Safari and set it to Always Trust for SSL and now it works in Chrome.
It shows as a root CA, is that correct?

[k0a1a]

You can as well add the cert using Chrome/Chromium
https://ram.k0a1a.net/self-signed_https_cert_after_chrome_58#add_cert_to_the_browser
(although I'm not sure if it works on OSX the same way it does on Linux)

[stevenfitzpatrick]

Still getting issue with latest chrome and latest webpack regarding ERR_CERT_COMMON_NAME_INVALID.

So I am trying generating a self signed cert.

What wasn't clear from this thread is where are you placing the self signed cert ?

Are you replacing the cert in node_modules/webpack-dev-server/ssl/server.pem or like this

https: {
      ca: fs.readFileSync('server.pem')
    },

[wenJanus]

I have the same problem when I use headless mode. Any body have some solution?
09:24:07.722 DEBUG selenium-nodejs.HomePage: navigate
[1120/092408.090:VERBOSE1:network_delegate.cc(31)] NetworkDelegate::NotifyBeforeURLRequest: https://localhost/home
[1120/092408.403:VERBOSE1:navigator_impl.cc(242)] Failed Provisional Load: https://localhost/home, error_code: -501, error_description: , showing_repost_interstitial: 0, frame_id: 1

[mehrdad-shokri]

@stephanvierkant managed to fix it?

[baoanhng]

@k0a1a Thank you so much! I've spent much time on this, you just saved my day.

[Patriot2407]

This is such a bullshit issue. This doesn't increase security in my CA at all. Forcing me to add a subject alternative name? WTF are you thinking Google? I'm done with Chrome. This on top of Chrome blocking all https in 2 months... Literally insane.

[vog]

Note that generating a self-signed certificate with SAN is a lot easier than any of the long commands specified here. In particular, you do not need to know the location of the OpenSSL config file in your system. It is described in the following StackOverflow answer:

• https://stackoverflow.com/a/41366949/19163

[adi518]

I guess this issue is back? why was it closed? can it even be fixed or are we at the mercy of Chrome and fixing it ourselves by generating certificates? well anyway, Windows users should do this:

• Grab OpenSSL for Windows.
• Add binary to PATH environment variable, as the installer doesn't do that.
• Restart your CLI, type openssl and it should work.
• Grab @wilga batch file, set HOSTNAME and execute.
• Import into Chrome (Settings -> search "Manage certificates").

[alexander-akait]

@adi518 Update your version of webpack-dev-server to latest stable