Self-signed certificate failing under Chrome

posted by 11 months ago and updated 10 months ago

One of our development servers started playing funny games today. Want to waste a day? Spend it figuring out SSL certificates.

It all used to work, but as always, something broke. We had to mend it to do our job. Usually the SSL error would squawk because the certificate is self-signed and not added as a trusted certificate. But usually we would also get a link to Proceed to www.company.dev. Chrome reports that the site uses HSTS which we know we weren't.

Please do not use under production, If you want a free SSL use letsencrypt

Let's get cracking now with generating the SSL. Our certificates on this development server are under /etc/nginx which made things a lot easier.

Go to the terminal and...

cd /etc/nginx/

Create a file req.conf and enter the following. You can update the values to whatever you need. Pay attention to CN and alt_names.

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = www.company.dev
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.company.dev
DNS.2 = company.dev

Go back to the terminal and regenerate the key.

openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout company.dev.key -out company.dev.crt -days 3650 -config req.conf 

# better reload the server
service nginx reload

If one of the SSL errors you get is NET::ERR_CERT_AUTHORITY_INVALID, you probably need to add the certificate to your local machine. This is beyond the scope of this tutorial. A little tip is to save the crt file of your certificate.

cat example.dev.crt

Depending on your platform there are different ways of doing it. Since we were messing around with the certificates of the server we might as well just save it and use it. Or follow our guide in the link below.


Want to read more? Follow these links.
How to save an SSL certificate with a Mac

Tags: