Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

NET::ERR_CERT_AUTHORITY_INVALID in Chrome not incognito and Firefox locally with valid certs on nginx

A couple of weeks ago we implemented the SameSite cookie policy to our cookies. If I want to develop locally, I needed a certificate to get the cookies.

We're running a Node express server and that is reversed proxied to an nginx configuration where we add the cert.

# Server configuration
#
server {
    listen 443;
    server_name test-local.ad.ourdomain.com;
    ssl_certificate           /home/myname/.certs/ourcert.crt;
    ssl_certificate_key       /home/myname/.certs/ourkey.rsa;
    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    location / {
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_pass          http://localhost:9090;
        proxy_read_timeout  90;
        proxy_redirect      http://localhost:9090 https://test-local.ad.ourdomain.com;
    }
}

Now to the wierd part. We updated to Chrome 80 today, and all of a sudden I got an HSTS issue. I was unable to access site even if I wanted to (no opt in possibility). I tried to clear that inside chrome://internals/#hsts, and that worked. However, I still get NET::ERR_CERT_AUTHORITY_INVALID but I now have the opt in alternative.

Accessing it from Chrome Incognito mode works like a charm, no issues there. Same with Firefox, no issues there either. It says Certificate is Valid, green and pretty. Checked here as well: https://www.sslshopper.com/certificate-decoder.html and its 100% green.

I'm running Ubuntu 19.10 using Regolith.

My colleagues are using same cert, also Chrome 80, but they're running Mac, no issues there in Chrome.

Any idea? I tried to clear Browser settings, no change.

like image 656
petur Avatar asked Feb 05 '20 11:02

petur


People also ask

Why do I keep getting NET :: ERR_CERT_AUTHORITY_INVALID?

This message is the NET::ERR_CERT_AUTHORITY_INVALID error. The error can be caused by an issue with your network, device or browser that stops the SSL certificate being properly read. It can also be caused by an invalid certificate on the website's end.

How do I force Chrome to accept a certificate?

Navigate to the site with the cert you want to trust, and click through the usual warnings for untrusted certificates. In the address bar, right click on the red warning triangle and "Not secure" message and, from the resulting menu, select "Certificate" to show the certificate.


1 Answers

I have some great news!

We're using the same cert on our cloud dev environments (however, they are in pfx form). Locally I run Linux as mentioned, and I had to convert the pfx to a RSA file and a CRT file.

I entered our dev domain on this site: https://whatsmychaincert.com/ and it downloaded a *.chain.crt file. Together with my old crt file, and this command:

cat example.com.crt example.com.chain.crt > example.com.chained.crt

In Nginx I then referenced the .chained.crt file.

Now Chrome accepts my local, secure webpage.

like image 63
petur Avatar answered Oct 01 '22 22:10

petur