New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Self signed certificate no longer valid as of Chrome 58 #854

Closed
PaulTondeur opened this Issue Mar 20, 2017 · 40 comments

Comments

Projects
None yet
@PaulTondeur

It turns out that the Subject Alt Name property is missing in the certificate, resulting in Chrome that marks the certificate as insecure. The error in chrome is misleading (net::ERR_CERT_COMMON_NAME_INVALID), though according to this post it is about the Subject Alternative Name (SAN) that is missing.

@johnboxall

This comment has been minimized.

Show comment
Hide comment
@johnboxall

johnboxall Mar 21, 2017

Based on e97741c and https://security.stackexchange.com/a/91556 I believe this could be regenerated with something like:

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.pem \
    -new \
    -out server.pem \
    -subj /CN=localhost \
    -reqexts SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
    -sha256 \
    -days 3650

On OSX.

It also might be possible to take ssl/server.pem add run it through https://certificatetools.com/, then add an subjectAltName=DNS:localhost.

As part of this fix, it may be useful to commit the script used to generate the cert in case it needs to be regenerated again.

johnboxall commented Mar 21, 2017

Based on e97741c and https://security.stackexchange.com/a/91556 I believe this could be regenerated with something like:

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.pem \
    -new \
    -out server.pem \
    -subj /CN=localhost \
    -reqexts SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
    -sha256 \
    -days 3650

On OSX.

It also might be possible to take ssl/server.pem add run it through https://certificatetools.com/, then add an subjectAltName=DNS:localhost.

As part of this fix, it may be useful to commit the script used to generate the cert in case it needs to be regenerated again.

@ream88

This comment has been minimized.

Show comment
Hide comment
@ream88

ream88 Mar 31, 2017

Apparently this fix works also for Chrome 57. Thx @johnboxall!

ream88 commented Mar 31, 2017

Apparently this fix works also for Chrome 57. Thx @johnboxall!

@jesstelford

This comment has been minimized.

Show comment
Hide comment
@jesstelford

jesstelford Apr 7, 2017

For those who may happen upon this via Google, I also had to set -extensions SAN to get @johnboxall's command to work:

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.pem \
    -new \
    -out server.pem \
    -subj /CN=localhost \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
    -sha256 \
    -days 3650

jesstelford commented Apr 7, 2017

For those who may happen upon this via Google, I also had to set -extensions SAN to get @johnboxall's command to work:

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.pem \
    -new \
    -out server.pem \
    -subj /CN=localhost \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
    -sha256 \
    -days 3650
@stephanvierkant

This comment has been minimized.

Show comment
Hide comment
@stephanvierkant

stephanvierkant Apr 20, 2017

I've used that command, but still getting ERR_CERT_AUTHORITY_INVALID on Chrome 58. Adding it to Chrome doesn't work because of "Not a Certification Authority" error message.

Any idea how to fix this?

I've used that command, but still getting ERR_CERT_AUTHORITY_INVALID on Chrome 58. Adding it to Chrome doesn't work because of "Not a Certification Authority" error message.

Any idea how to fix this?

@ianfitzpatrick

This comment has been minimized.

Show comment
Hide comment
@ianfitzpatrick

ianfitzpatrick Apr 21, 2017

@stephanvierkant

I don't know what platform you are on, but assuming you are on OSX, you need to follow these instructions to manually trust self signed certificates.

http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.WPpqZFKZNE4

FWIW I followed the instructions from @jesstelford above, then manually re-trusted the new certificate following instructions similar to above link, and I'm now all good.

My local dev server is running debian on a VM in my mac, so I did have to change /System/Library/OpenSSL/openssl.cnf to /usr/lib/ssl/openssl.cnf

I already had a key file, so here are the instructions above modified to use an existing key:

openssl req \
    -key server.local.key \
    -x509 \
    -nodes \
    -new \
    -out server.local.crt \
    -subj /CN=server.local \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /usr/lib/ssl/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:server.local')) \
    -sha256 \
    -days 3650

ianfitzpatrick commented Apr 21, 2017

@stephanvierkant

I don't know what platform you are on, but assuming you are on OSX, you need to follow these instructions to manually trust self signed certificates.

http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.WPpqZFKZNE4

FWIW I followed the instructions from @jesstelford above, then manually re-trusted the new certificate following instructions similar to above link, and I'm now all good.

My local dev server is running debian on a VM in my mac, so I did have to change /System/Library/OpenSSL/openssl.cnf to /usr/lib/ssl/openssl.cnf

I already had a key file, so here are the instructions above modified to use an existing key:

openssl req \
    -key server.local.key \
    -x509 \
    -nodes \
    -new \
    -out server.local.crt \
    -subj /CN=server.local \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /usr/lib/ssl/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:server.local')) \
    -sha256 \
    -days 3650
@chibisuke

This comment has been minimized.

Show comment
Hide comment
@chibisuke

chibisuke Apr 27, 2017

Time to migrate away from chrome.... with the latest update chrome is violating RFC2818.

Time to migrate away from chrome.... with the latest update chrome is violating RFC2818.

@zijuexiansheng

This comment has been minimized.

Show comment
Hide comment
@zijuexiansheng

zijuexiansheng May 2, 2017

The methods above works for me with Chrome. But I ran into some new issues.

  1. I cannot install the self-signed certificate on Firefox. And if I install it on iphone, it's not trusted.
  2. I added basicConstraints=CA:TRUE,pathlen:0 to the openssl.cnf file. Not it works perfectly for iphone. I can also import it to firefox. But the problem is that I cannot load my webpage with firefox

Does anyone have some ideas on how to resolve the firefox issue?

The methods above works for me with Chrome. But I ran into some new issues.

  1. I cannot install the self-signed certificate on Firefox. And if I install it on iphone, it's not trusted.
  2. I added basicConstraints=CA:TRUE,pathlen:0 to the openssl.cnf file. Not it works perfectly for iphone. I can also import it to firefox. But the problem is that I cannot load my webpage with firefox

Does anyone have some ideas on how to resolve the firefox issue?

@CreativeWolf

This comment has been minimized.

Show comment
Hide comment
@CreativeWolf

CreativeWolf May 2, 2017

Facing the same issue as @stephanvierkant mentioned here - #854 (comment)

Appreciate any work around for this please.

Facing the same issue as @stephanvierkant mentioned here - #854 (comment)

Appreciate any work around for this please.

tiblu added a commit to citizenos/citizenos-fe that referenced this issue May 3, 2017

@lewis617

This comment has been minimized.

Show comment
Hide comment
@lewis617

lewis617 May 4, 2017

What about Windows? @johnboxall

lewis617 commented May 4, 2017

What about Windows? @johnboxall

@RakeshMangroliya

This comment has been minimized.

Show comment
Hide comment
@RakeshMangroliya

RakeshMangroliya May 15, 2017

Hello All

please use below mention solution work for Chrome + 58 and IISexpress 10.

please follow below steps

#1. run command prompt as administrator rights

#2 .type powershell -> enter

#3. now provide path of powershell script which i have attached

#4 .run it.

5464-iisexpress.zip

Hello All

please use below mention solution work for Chrome + 58 and IISexpress 10.

please follow below steps

#1. run command prompt as administrator rights

#2 .type powershell -> enter

#3. now provide path of powershell script which i have attached

#4 .run it.

5464-iisexpress.zip

@szkrd

This comment has been minimized.

Show comment
Hide comment
@szkrd

szkrd May 15, 2017

@lewis617 mingw git comes with an openssl binary (/mingw64/bin/openssl), use that. Copy /usr/ssl/openssl.cnf to somewhere else, add the two extra lines ([SAN]...) and use the -config param with the customized cnf, the rest of the params are the same as above mentioned. Hope it works!

szkrd commented May 15, 2017

@lewis617 mingw git comes with an openssl binary (/mingw64/bin/openssl), use that. Copy /usr/ssl/openssl.cnf to somewhere else, add the two extra lines ([SAN]...) and use the -config param with the customized cnf, the rest of the params are the same as above mentioned. Hope it works!

@DBosley

This comment has been minimized.

Show comment
Hide comment
@DBosley

DBosley May 16, 2017

@RakeshMangroliya this script did not work for me. It did fix IIS Express cert issues, but it did not fix the cert bundled with webpack-dev-server

DBosley commented May 16, 2017

@RakeshMangroliya this script did not work for me. It did fix IIS Express cert issues, but it did not fix the cert bundled with webpack-dev-server

@RakeshMangroliya

This comment has been minimized.

Show comment
Hide comment
@RakeshMangroliya

RakeshMangroliya May 17, 2017

@DBosley

Hi

Please use this script and let me know. or provide me port no for webpack-dev-server you are using.
IISexpress.zip

RakeshMangroliya commented May 17, 2017

@DBosley

Hi

Please use this script and let me know. or provide me port no for webpack-dev-server you are using.
IISexpress.zip

@DBosley

This comment has been minimized.

Show comment
Hide comment
@DBosley

DBosley May 17, 2017

@ianfitzpatrick Thanks for your help! Combining some stuff with others from @jesstelford I was able to edit the cert that comes with webpack-dev-server to have the SAN without invalidating the cert my whole team has already added to their trusted store.

All of this was a hassle as a windows user. I couldn't get the <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:server.local')) part of the command to work in powershell, so I just ended up adding this section to my cnf file and removing it after I was done:

[SAN]
subjectAltName=DNS:server.local

DBosley commented May 17, 2017

@ianfitzpatrick Thanks for your help! Combining some stuff with others from @jesstelford I was able to edit the cert that comes with webpack-dev-server to have the SAN without invalidating the cert my whole team has already added to their trusted store.

All of this was a hassle as a windows user. I couldn't get the <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:server.local')) part of the command to work in powershell, so I just ended up adding this section to my cnf file and removing it after I was done:

[SAN]
subjectAltName=DNS:server.local
@wilga

This comment has been minimized.

Show comment
Hide comment
@wilga

wilga May 18, 2017

Here is a Windows script to generate the self-signed certificate with openssl:
makeCert.bat

It will create these files: example.cnf, example.crt, example.key

wilga commented May 18, 2017

Here is a Windows script to generate the self-signed certificate with openssl:
makeCert.bat

It will create these files: example.cnf, example.crt, example.key

cdosborn added a commit to cdosborn/ansible-tls-cert that referenced this issue May 19, 2017

Satisfy new requirements for Chrome to accept a self-signed certificate
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID
See webpack/webpack-dev-server#854

Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY

diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml
@@ -8,12 +16,12 @@
 - name: Self-signed certificate and private key created
   tags: [selfsigned-cert-created]
   command: >
-    openssl req -new
+    openssl req
+    -config "{{ role_path }}/build/openssl-req.cnf"
+    -newkey rsa:2048
     -x509
     -nodes
-    -extensions v3_ca
     -days 3650
-    -subj "/"
     -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key
     -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt

cdosborn added a commit to cdosborn/ansible-tls-cert that referenced this issue May 19, 2017

Satisfy new requirements for Chrome to accept a self-signed certificate
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID
See webpack/webpack-dev-server#854

Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY

diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml
@@ -8,12 +16,12 @@
 - name: Self-signed certificate and private key created
   tags: [selfsigned-cert-created]
   command: >
-    openssl req -new
+    openssl req
+    -config "{{ role_path }}/build/openssl-req.cnf"
+    -newkey rsa:2048
     -x509
     -nodes
-    -extensions v3_ca
     -days 3650
-    -subj "/"
     -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key
     -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt

cdosborn added a commit to cdosborn/ansible-tls-cert that referenced this issue May 19, 2017

Satisfy new requirements for Chrome to accept a self-signed certificate
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID
See webpack/webpack-dev-server#854

Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY

diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml
@@ -8,12 +16,12 @@
 - name: Self-signed certificate and private key created
   tags: [selfsigned-cert-created]
   command: >
-    openssl req -new
+    openssl req
+    -config "{{ role_path }}/build/openssl-req.cnf"
+    -newkey rsa:2048
     -x509
     -nodes
-    -extensions v3_ca
     -days 3650
-    -subj "/"
     -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key
     -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt

cdosborn added a commit to cdosborn/ansible-tls-cert that referenced this issue May 22, 2017

Satisfy new requirements for Chrome to accept a self-signed certificate
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID
See webpack/webpack-dev-server#854

Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY

diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml
@@ -8,12 +16,12 @@
 - name: Self-signed certificate and private key created
   tags: [selfsigned-cert-created]
   command: >
-    openssl req -new
+    openssl req
+    -config "{{ role_path }}/build/openssl-req.cnf"
+    -newkey rsa:2048
     -x509
     -nodes
-    -extensions v3_ca
     -days 3650
-    -subj "/"
     -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key
     -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt

cdosborn added a commit to cdosborn/ansible-tls-cert that referenced this issue May 22, 2017

Satisfy new requirements for Chrome to accept a self-signed certificate
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID
See webpack/webpack-dev-server#854

Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY

diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml
@@ -8,12 +16,12 @@
 - name: Self-signed certificate and private key created
   tags: [selfsigned-cert-created]
   command: >
-    openssl req -new
+    openssl req
+    -config "{{ role_path }}/build/openssl-req.cnf"
+    -newkey rsa:2048
     -x509
     -nodes
-    -extensions v3_ca
     -days 3650
-    -subj "/"
     -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key
     -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt

cdosborn added a commit to cdosborn/ansible-tls-cert that referenced this issue May 22, 2017

Satisfy new requirements for Chrome to accept a self-signed certificate
Provide a SAN field to satisfy Chrome's net::ERR_CERT_COMMON_NAME_INVALID
See webpack/webpack-dev-server#854

Create a private key with 2048 bits to satisfy Chrome's net::ERR_CERT_WEAK_KEY

diff --git a/tasks/deploy-selfsigned.yml b/tasks/deploy-selfsigned.yml
@@ -8,12 +16,12 @@
 - name: Self-signed certificate and private key created
   tags: [selfsigned-cert-created]
   command: >
-    openssl req -new
+    openssl req
+    -config "{{ role_path }}/build/openssl-req.cnf"
+    -newkey rsa:2048
     -x509
     -nodes
-    -extensions v3_ca
     -days 3650
-    -subj "/"
     -keyout {{ TLS_PRIVKEY_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.key
     -out {{ TLS_CERT_DEST_DIR }}/{{ TLS_DEST_BASENAME }}.crt
@zrubinrattet

This comment has been minimized.

Show comment
Hide comment
@zrubinrattet

zrubinrattet Jun 2, 2017

Took me a moment to figure out (with help from this post) that because I'm using a virtual host set up via MAMP Pro I had to change that command a bit to output key and crt files (to plug into MAMP Pro's SSL tab) and I had to make sure I inputted the correct name of the virtual server (wherever you see "yoursite.dev").

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout yoursite.key \
    -new \
    -out yoursite.crt \
    -subj /CN=yoursite.dev \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:yoursite.dev')) \
    -sha256 \
    -days 3650

Took me a moment to figure out (with help from this post) that because I'm using a virtual host set up via MAMP Pro I had to change that command a bit to output key and crt files (to plug into MAMP Pro's SSL tab) and I had to make sure I inputted the correct name of the virtual server (wherever you see "yoursite.dev").

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout yoursite.key \
    -new \
    -out yoursite.crt \
    -subj /CN=yoursite.dev \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:yoursite.dev')) \
    -sha256 \
    -days 3650
@finkunlimited

This comment has been minimized.

Show comment
Hide comment
@finkunlimited

finkunlimited Jun 29, 2017

Hi Folks, for us beginner tech folk who has only ever used MAMP Pro and now pulling hair out as we cannot access our production site, is there a step by step guide explaining where and how to make these changes?

Thanks.

Hi Folks, for us beginner tech folk who has only ever used MAMP Pro and now pulling hair out as we cannot access our production site, is there a step by step guide explaining where and how to make these changes?

Thanks.

@shellscape

This comment has been minimized.

Show comment
Hide comment
@shellscape

shellscape Aug 9, 2017

Contributor

Original issue as reported should be resolved in 400b289. Closing due to age and commit.

Contributor

shellscape commented Aug 9, 2017

Original issue as reported should be resolved in 400b289. Closing due to age and commit.

@shellscape shellscape closed this Aug 9, 2017

@afhole

This comment has been minimized.

Show comment
Hide comment
@afhole

afhole Aug 9, 2017

Is the resolution included in v2.7.1?

afhole commented Aug 9, 2017

Is the resolution included in v2.7.1?

@shellscape

This comment has been minimized.

Show comment
Hide comment
@shellscape

shellscape Aug 9, 2017

Contributor

That commit is in the latest version, yes.

Contributor

shellscape commented Aug 9, 2017

That commit is in the latest version, yes.

@k0a1a

This comment has been minimized.

Show comment
Hide comment
@k0a1a

k0a1a Aug 10, 2017

Here is a solution that works for me:

https://ram.k0a1a.net/self-signed_https_cert_after_chrome_58

Tested on Debian/Apache2.4 + Debian/Chromium 59

k0a1a commented Aug 10, 2017

Here is a solution that works for me:

https://ram.k0a1a.net/self-signed_https_cert_after_chrome_58

Tested on Debian/Apache2.4 + Debian/Chromium 59

@afhole

This comment has been minimized.

Show comment
Hide comment
@afhole

afhole Aug 10, 2017

So the cert generated by dev server automatically still doesn't work with latest Chrome?

afhole commented Aug 10, 2017

So the cert generated by dev server automatically still doesn't work with latest Chrome?

@shellscape

This comment has been minimized.

Show comment
Hide comment
@shellscape

shellscape Aug 10, 2017

Contributor

@afhole not sure where you got that. works fine for me.

Contributor

shellscape commented Aug 10, 2017

@afhole not sure where you got that. works fine for me.

@afhole

This comment has been minimized.

Show comment
Hide comment
@afhole

afhole Aug 10, 2017

@shellscape Oh cool, glad it's sorted. In 2.7.1 I am still getting ERR_CERT_COMMON_NAME_INVALID I wonder if I have the cert cached somewhere? Is there anything I need to do to clear the cache and generate a new cert?

afhole commented Aug 10, 2017

@shellscape Oh cool, glad it's sorted. In 2.7.1 I am still getting ERR_CERT_COMMON_NAME_INVALID I wonder if I have the cert cached somewhere? Is there anything I need to do to clear the cache and generate a new cert?

@shellscape

This comment has been minimized.

Show comment
Hide comment
@shellscape

shellscape Aug 10, 2017

Contributor

@afhole I'm not sure about that one I'm afraid.

Contributor

shellscape commented Aug 10, 2017

@afhole I'm not sure about that one I'm afraid.

@afhole

This comment has been minimized.

Show comment
Hide comment
@afhole

afhole Aug 10, 2017

@shellscape Sorry, just to clarify - you no longer have errors with Subject Alternative Name missing and ERR_CERT_COMMON_NAME_INVALID? I just deleted ssl/server.pem and it regenerated, to no avail.

afhole commented Aug 10, 2017

@shellscape Sorry, just to clarify - you no longer have errors with Subject Alternative Name missing and ERR_CERT_COMMON_NAME_INVALID? I just deleted ssl/server.pem and it regenerated, to no avail.

@shellscape

This comment has been minimized.

Show comment
Hide comment
@shellscape

shellscape Aug 10, 2017

Contributor

Correct

Contributor

shellscape commented Aug 10, 2017

Correct

@afhole

This comment has been minimized.

Show comment
Hide comment
@afhole

afhole Aug 10, 2017

With localhost right? Has anyone else had success/failure with 2.7.1?

afhole commented Aug 10, 2017

With localhost right? Has anyone else had success/failure with 2.7.1?

@accentureChris

This comment has been minimized.

Show comment
Hide comment
@accentureChris

accentureChris Aug 14, 2017

We're unable to upgrade to 2.7.1 currently. Any cross-platform guidance? I've tried several guides/openssl cert/key generation.

We're unable to upgrade to 2.7.1 currently. Any cross-platform guidance? I've tried several guides/openssl cert/key generation.

paulca added a commit to paulca/webpack-dev-server that referenced this issue Aug 16, 2017

Add subjectAltName to self-signed certificate for https
This fixes #854 and #906 by adding a subjectAltName matching
the commonName for the self-signed cert.

stphnlee added a commit to stphnlee/stphnlee.github.io that referenced this issue Sep 14, 2017

Added key for SSL
Kept getting error when trying to load page in Chrome. Found this help:

 webpack/webpack-dev-server#854

stphnlee added a commit to stphnlee/stphnlee.github.io that referenced this issue Sep 14, 2017

Once again with the key
Adding "-extensions SAN" per jesstelford's comment on webpack/webpack-dev-server#854
@paillave

This comment has been minimized.

Show comment
Hide comment
@paillave

paillave Sep 24, 2017

I am facing the issue. Whatever I can try doesn't work, I still have this ERR_CERT_AUTHORITY_INVALID after any solution I apply from the net.
Something puzzles me: why IISExpress doesn't face this issue? If I get it well, if IIS Express work, this means that, as a matter of a fact, it is possible to provide a certificate that can be accepted by chrome. Why the certificate provided by webpack-dev-server is refused even if it is trusted? BTW, I don't believe we should even create a certificate ourselves for a development server.

I am facing the issue. Whatever I can try doesn't work, I still have this ERR_CERT_AUTHORITY_INVALID after any solution I apply from the net.
Something puzzles me: why IISExpress doesn't face this issue? If I get it well, if IIS Express work, this means that, as a matter of a fact, it is possible to provide a certificate that can be accepted by chrome. Why the certificate provided by webpack-dev-server is refused even if it is trusted? BTW, I don't believe we should even create a certificate ourselves for a development server.

@zijuexiansheng

This comment has been minimized.

Show comment
Hide comment
@zijuexiansheng

zijuexiansheng Sep 24, 2017

@paillave Chrome has some cache issue with certificates. Try reboot your computer or remove the cert cache and then reboot

@paillave Chrome has some cache issue with certificates. Try reboot your computer or remove the cert cache and then reboot

@afhole

This comment has been minimized.

Show comment
Hide comment
@afhole

afhole Sep 25, 2017

@paillave FWIW I still can't get it to work in Chrome 61/macOS 10.12.6, not sure what else to try

afhole commented Sep 25, 2017

@paillave FWIW I still can't get it to work in Chrome 61/macOS 10.12.6, not sure what else to try

@afhole

This comment has been minimized.

Show comment
Hide comment
@afhole

afhole Sep 25, 2017

Finally I got this to work with webpack-dev-server@2.8.2
I loaded it in Safari and set it to Always Trust for SSL and now it works in Chrome.
It shows as a root CA, is that correct?

afhole commented Sep 25, 2017

Finally I got this to work with webpack-dev-server@2.8.2
I loaded it in Safari and set it to Always Trust for SSL and now it works in Chrome.
It shows as a root CA, is that correct?

@k0a1a

This comment has been minimized.

Show comment
Hide comment
@k0a1a

k0a1a Sep 27, 2017

You can as well add the cert using Chrome/Chromium
https://ram.k0a1a.net/self-signed_https_cert_after_chrome_58#add_cert_to_the_browser
(although I'm not sure if it works on OSX the same way it does on Linux)

k0a1a commented Sep 27, 2017

You can as well add the cert using Chrome/Chromium
https://ram.k0a1a.net/self-signed_https_cert_after_chrome_58#add_cert_to_the_browser
(although I'm not sure if it works on OSX the same way it does on Linux)

@stevenfitzpatrick

This comment has been minimized.

Show comment
Hide comment
@stevenfitzpatrick

stevenfitzpatrick Sep 30, 2017

Still getting issue with latest chrome and latest webpack regarding ERR_CERT_COMMON_NAME_INVALID.

So I am trying generating a self signed cert.

What wasn't clear from this thread is where are you placing the self signed cert ?

Are you replacing the cert in node_modules/webpack-dev-server/ssl/server.pem or like this

https: {
      ca: fs.readFileSync('server.pem')
    },

Still getting issue with latest chrome and latest webpack regarding ERR_CERT_COMMON_NAME_INVALID.

So I am trying generating a self signed cert.

What wasn't clear from this thread is where are you placing the self signed cert ?

Are you replacing the cert in node_modules/webpack-dev-server/ssl/server.pem or like this

https: {
      ca: fs.readFileSync('server.pem')
    },
@wenJanus

This comment has been minimized.

Show comment
Hide comment
@wenJanus

wenJanus Nov 20, 2017

I have the same problem when I use headless mode. Any body have some solution?
09:24:07.722 DEBUG selenium-nodejs.HomePage: navigate
[1120/092408.090:VERBOSE1:network_delegate.cc(31)] NetworkDelegate::NotifyBeforeURLRequest: https://localhost/home
[1120/092408.403:VERBOSE1:navigator_impl.cc(242)] Failed Provisional Load: https://localhost/home, error_code: -501, error_description: , showing_repost_interstitial: 0, frame_id: 1

I have the same problem when I use headless mode. Any body have some solution?
09:24:07.722 DEBUG selenium-nodejs.HomePage: navigate
[1120/092408.090:VERBOSE1:network_delegate.cc(31)] NetworkDelegate::NotifyBeforeURLRequest: https://localhost/home
[1120/092408.403:VERBOSE1:navigator_impl.cc(242)] Failed Provisional Load: https://localhost/home, error_code: -501, error_description: , showing_repost_interstitial: 0, frame_id: 1

@mehrdaad

This comment has been minimized.

Show comment
Hide comment

@stephanvierkant managed to fix it?

@baona95

This comment has been minimized.

Show comment
Hide comment
@baona95

baona95 Mar 14, 2018

@k0a1a Thank you so much! I've spent much time on this, you just saved my day.

baona95 commented Mar 14, 2018

@k0a1a Thank you so much! I've spent much time on this, you just saved my day.

@czebiniak

This comment has been minimized.

Show comment
Hide comment
@czebiniak

czebiniak Mar 16, 2018

This is such a bullshit issue. This doesn't increase security in my CA at all. Forcing me to add a subject alternative name? WTF are you thinking Google? I'm done with Chrome. This on top of Chrome blocking all https in 2 months... Literally insane.

czebiniak commented Mar 16, 2018

This is such a bullshit issue. This doesn't increase security in my CA at all. Forcing me to add a subject alternative name? WTF are you thinking Google? I'm done with Chrome. This on top of Chrome blocking all https in 2 months... Literally insane.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment