One of our development servers started playing funny games today. Want to waste a day? Spend it figuring out SSL certificates.
It all used to work, but as always, something broke. We had to mend it to do our job. Usually the SSL error would squawk because the certificate is self-signed and not added as a trusted certificate. But usually we would also get a link to Proceed to www.company.dev. Chrome reports that the site uses HSTS which we know we weren't.
Please do not use under production, If you want a free SSL use letsencrypt
Let's get cracking now with generating the SSL. Our certificates on this development server are under
/etc/nginx which made things a lot easier.
Go to the terminal and...
Create a file
req.conf and enter the following. You can update the values to whatever you need. Pay attention to
[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = SomeCity O = MyCompany OU = MyDivision CN = www.company.dev [v3_req] keyUsage = critical, digitalSignature, keyAgreement extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.company.dev DNS.2 = company.dev
Go back to the terminal and regenerate the key.
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout company.dev.key -out company.dev.crt -days 3650 -config req.conf # better reload the server service nginx reload
If one of the SSL errors you get is
NET::ERR_CERT_AUTHORITY_INVALID, you probably need to add the certificate to your local machine. This is beyond the scope of this tutorial. A little tip is to save the crt file of your certificate.
Depending on your platform there are different ways of doing it. Since we were messing around with the certificates of the server we might as well just save it and use it. Or follow our guide in the link below.
Want to read more? Follow these links.
How to save an SSL certificate with a Mac