Menu
A couple of weeks ago we implemented the SameSite cookie policy to our cookies. If I want to develop locally, I needed a certificate to get the cookies.
We're running a Node express server and that is reversed proxied to an nginx configuration where we add the cert.
# Server configuration
#
server {
listen 443;
server_name test-local.ad.ourdomain.com;
ssl_certificate /home/myname/.certs/ourcert.crt;
ssl_certificate_key /home/myname/.certs/ourkey.rsa;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:9090;
proxy_read_timeout 90;
proxy_redirect http://localhost:9090 https://test-local.ad.ourdomain.com;
}
}
Now to the wierd part. We updated to Chrome 80 today, and all of a sudden I got an HSTS issue. I was unable to access site even if I wanted to (no opt in possibility). I tried to clear that inside chrome://internals/#hsts, and that worked. However, I still get NET::ERR_CERT_AUTHORITY_INVALID but I now have the opt in alternative.
Accessing it from Chrome Incognito mode works like a charm, no issues there. Same with Firefox, no issues there either. It says Certificate is Valid, green and pretty. Checked here as well: https://www.sslshopper.com/certificate-decoder.html and its 100% green.
I'm running Ubuntu 19.10 using Regolith.
My colleagues are using same cert, also Chrome 80, but they're running Mac, no issues there in Chrome.
Any idea? I tried to clear Browser settings, no change.
656
This message is the NET::ERR_CERT_AUTHORITY_INVALID error. The error can be caused by an issue with your network, device or browser that stops the SSL certificate being properly read. It can also be caused by an invalid certificate on the website's end.
Navigate to the site with the cert you want to trust, and click through the usual warnings for untrusted certificates. In the address bar, right click on the red warning triangle and "Not secure" message and, from the resulting menu, select "Certificate" to show the certificate.
I have some great news!
We're using the same cert on our cloud dev environments (however, they are in pfx form). Locally I run Linux as mentioned, and I had to convert the pfx to a RSA file and a CRT file.
I entered our dev domain on this site: https://whatsmychaincert.com/ and it downloaded a *.chain.crt file. Together with my old crt file, and this command:
cat example.com.crt example.com.chain.crt > example.com.chained.crt
In Nginx I then referenced the .chained.crt file.
Now Chrome accepts my local, secure webpage.
63
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
