2

I have asked a similar question here before. But the solution provided has stopped working. I am trying to get ssl certificates for local hosts. I do not need them to be official, they only need to work on my local machine.

I develop websites and all my local copies of are in the form domain.local.

I have already discovered that Chrome is not going to allow a *.local certificate.

Until I upgraded to chromium 63, the following process was working fine:

conf/caconfig.cnf

#.................................. [ ca ] default_ca = CA_default [ CA_default ] dir = /home/*****/Sites/root-ca serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/certs certificate = $dir/certs/cacert.pem private_key = $dir/private/cakey.pem default_days = 3000 default_md = sha256 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match copy_extensions = copyall [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------ ------------------------------ 0.organizationName_default = ***** localityName_default = ***** stateOrProvinceName_default = ***** countryName_default = ***** emailAddress_default = ***** [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always subjectAltName = @alternate_names [ v3_req ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" [ alternate_names ] DNS.1 = site1.local DNS.2 = site2.local DNS.3 = site3.local DNS.4 = site4.local

Create certificate authority

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out certs/cacert.pem -days 3000 -config conf/caconfig.cnf

When prompted

Common Name (hostname, IP, or your name) []:Jonathan Hodgson

Create Request

openssl req -extensions v3_req -new -nodes -out local.req.pem -keyout private/local.key.pem -config conf/caconfig.cnf

When Prompted

Common Name (hostname, IP, or your name) []:*.local

Sign Request

openssl ca -out certs/local.cert.pem -config conf/caconfig.cnf -infiles local.req.pem

Relevant Part of Apache Config

<VirtualHost *:443> ServerName test.local ServerAlias *.local VirtualDocumentRoot /home/jonathan/Sites/%-2/public_html CustomLog /home/jonathan/Sites/access.log vhost_combined ErrorLog /home/jonathan/Sites/error.log SSLEngine On SSLCertificateFile /home/jonathan/Sites/root-ca/certs/local.cert.pem SSLCertificateKeyFile /home/jonathan/Sites/root-ca/private/local.key.pem </VirtualHost>

I then import the certs/cacert.pem file into the browsers certificate manager as an authority.

This works fine in Chrome 61 and Firefox 55 but doesn't work in Chromium 63. Although I can't confirm it, I am also confident that it worked in Chromium 62 meaning it is something that has changed in Chromium 63.

Chromium 63 SSL Problem

Interestingly, the security panel of dev-tools seems to imply that the certificate is ok:

Chrome Dev Tools Security panel

Edit: As Requested by @garethTheRed

$ openssl x509 -noout -text -in certs/local.cert.pem Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O = Jonathan Hodgson Ltd, emailAddress = ########, L = #########, ST = #######, C = GB, CN = Jonathan Hodgson Validity Not Before: Sep 21 10:18:36 2017 GMT Not After : Dec 8 10:18:36 2025 GMT Subject: C = GB, ST = #######, O = Jonathan Hodgson Ltd, CN = *.local Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e8:2c:e0:9e:e2:3e:6b:d6:2d:37:ab:a3:92:96: 46:ee:7e:77:6c:4b:04:6b:7e:ba:5c:a5:d6:4b:03: a2:6a:54:12:c9:ff:2a:dc:12:8b:ee:f6:16:7b:28: f8:78:ec:df:7b:29:09:b9:01:56:d3:08:b7:5a:46: fe:1f:70:13:63:47:3c:f6:fe:f1:f4:0e:16:b8:5d: 8e:72:fa:c8:c3:07:eb:9c:61:66:63:52:19:47:66: ef:bb:99:f7:cb:21:c6:b8:f3:84:c2:65:49:d9:b5: fb:1d:75:dd:8a:79:b1:f8:02:e1:59:ae:ce:b8:7a: 1b:54:7b:58:58:cb:f8:ab:bf:7f:97:b3:0c:8f:c2: b0:ee:ee:24:5b:7a:9d:b0:9a:ed:c7:56:52:72:f1: ac:d2:f5:06:3a:5e:07:f6:f0:12:70:bc:4d:4b:bb: 99:b7:81:b7:e8:58:f1:a1:4a:2e:41:ee:1b:a4:9e: e0:a7:0b:51:d5:94:5d:54:36:83:bd:38:9d:1d:4d: e2:d8:4d:b0:b1:df:2b:42:1d:71:46:94:77:4a:c3: 19:1e:04:3d:29:2c:0b:c3:96:aa:9f:a1:b9:5a:a8: 37:8d:8a:7c:71:32:64:c4:d3:85:d3:78:0e:f3:9c: 8f:05:d7:5a:03:1b:67:d6:42:3b:3f:0e:cc:95:f3: 2d:cf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 5C:17:CD:7A:5D:9F:DC:01:DF:37:3E:7C:3D:61:50:CB:7D:0C:78:87 X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Subject Alternative Name: DNS:fellowship.local, DNS:magento-vanilla.local, DNS:dotjs.local, DNS:dotcss.local Netscape Comment: OpenSSL Generated Certificate Signature Algorithm: sha256WithRSAEncryption 4d:f2:7c:bf:68:72:63:ad:e8:82:d3:59:0b:28:4d:22:f9:a4: a4:64:49:5e:f2:8a:29:09:21:2f:2e:c8:41:e9:8b:fb:52:ed: b4:8d:38:22:ad:3b:fa:2d:6f:d6:71:90:2a:cf:a0:86:20:b9: 41:12:b2:e6:20:1b:88:a1:da:40:27:a0:89:a8:8e:51:38:ed: 16:ab:96:6b:15:bd:80:96:32:5c:e9:a3:42:88:22:b4:98:f6: f1:07:0b:8c:35:44:36:65:f5:21:56:f8:68:22:3c:7e:49:c6: 8e:1d:da:28:7a:fa:e0:15:d2:69:a9:13:0f:e1:de:ee:3b:0f: ef:b9:2e:09:49:af:88:ce:2f:c0:d2:79:7a:9c:7a:31:1d:34: bc:af:70:9d:da:63:bc:10:c1:9e:12:4f:90:03:37:c4:ea:b4: d6:f0:fc:c3:94:ac:95:e2:ab:bd:54:62:dd:cb:58:96:b2:92: f9:7c:bc:21:e4:a4:a9:d0:70:83:62:b3:98:fd:20:e1:e5:37: 0b:95:3a:28:3d:41:17:03:47:c2:c1:f3:4a:59:da:eb:d8:55: d6:a9:9b:83:e5:49:3d:23:92:91:98:14:2e:d5:06:55:d9:77: 90:48:21:ec:1b:9e:1b:84:85:36:ec:4f:86:50:de:fb:71:d9: 2a:06:9f:77

I have #ed out my email and location

Edit 2:

Here is the new certificate I have generated with a new CN and serial number.

Certificate: Data: Version: 1 (0x0) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: O = Jonathan Hodgson Ltd, emailAddress = ##########, L = ######, ST = ######, C = #########, CN = JonathanHodgsonAuthority Validity Not Before: Sep 25 13:13:46 2017 GMT Not After : Dec 12 13:13:46 2025 GMT Subject: C = GB, ST = ########, O = Jonathan Hodgson Ltd, CN = MyNewCN Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ae:b3:b5:18:06:e5:91:05:90:80:57:6a:8d:78: 50:94:09:b6:73:e6:4c:4e:5f:8c:f0:e3:8e:5b:bb: 09:f7:4c:6d:c2:c4:4a:ba:bb:7d:c3:53:1c:98:98: 2a:ea:be:8a:7f:cd:de:58:d8:74:2b:c1:5c:a9:44: 24:17:49:7e:6a:87:8d:a0:55:f8:71:b3:93:e3:b2: fe:5b:88:7a:2a:45:15:3e:eb:94:c7:a2:26:74:db: 9e:58:84:45:cc:db:f9:4b:51:22:25:c0:27:ca:47: 76:6e:05:a6:5b:6d:74:a2:92:0e:67:d4:5c:bf:08: cf:78:d9:95:f2:55:d1:ec:d4:78:ff:02:64:16:b9: 79:44:06:39:4e:bb:d0:a2:9d:91:93:b5:43:68:39: f2:22:f3:0a:b4:eb:5c:1b:d1:54:51:4f:ac:23:43: 08:66:8e:a3:57:8c:51:ab:12:ec:7d:32:de:1f:a8: e1:d8:99:c6:b2:94:87:e0:7a:8e:80:75:fe:44:10: e6:1c:86:dd:90:c9:1f:0e:2f:3f:3e:fb:af:c7:dc: 0a:60:d3:2c:78:a3:62:0f:9a:e6:91:12:bc:e3:1c: 77:a7:31:04:23:b3:82:11:3c:d4:cc:5e:ae:71:fd: 8f:7c:12:b5:88:33:92:f5:6b:71:6f:cb:0b:93:bd: 13:b1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 6E:66:B9:C8:57:03:81:E4:2D:99:7C:78:28:B1:E3:36:D4:4B:C5:76 X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Subject Alternative Name: DNS:fellowship.local, DNS:magento-vanilla.local, DNS:dotjs.local, DNS:dotcss.local Netscape Comment: OpenSSL Generated Certificate Signature Algorithm: sha256WithRSAEncryption 4d:73:39:76:88:5e:01:d5:80:8e:4e:b9:11:2d:99:6f:a5:6a: f9:6f:1b:07:e4:7c:5e:ca:24:36:c0:55:bf:10:71:c8:57:0b: 16:67:97:75:80:ce:7b:f2:d7:38:6f:cd:d3:00:7d:5a:76:db: 7f:90:ad:12:47:8a:e6:4c:b0:16:cb:ab:be:89:4c:3f:6d:7d: a0:72:a2:18:93:8a:1c:a8:b9:12:70:c8:b2:8d:81:49:61:62: 80:b1:04:c3:a2:de:22:d2:7f:2d:65:6e:1d:49:6a:65:7c:3f: 2f:8b:9f:5f:6d:1d:4b:c5:04:ad:37:c9:e4:c3:1b:5e:03:0e: 60:8b:6c:09:46:71:e1:02:b9:94:9c:14:87:94:aa:e0:93:05: b9:df:f6:c2:99:b4:c8:62:c0:49:bb:97:dc:b9:a7:75:4e:55: d8:06:49:07:2d:d4:7e:cf:be:89:63:f6:91:22:ca:e0:d5:65: e4:73:88:0a:c1:d9:d5:a0:75:db:b3:41:d6:05:cb:62:7b:19: 01:de:62:d2:4d:7d:86:88:32:a8:8e:84:f6:96:6a:53:77:31: 7a:62:46:66:6a:7b:56:0e:89:77:0b:fb:e0:34:f3:ae:f2:08: c5:81:ab:dd:3e:19:0a:59:eb:b2:44:e7:c8:f0:a5:30:a2:ae: 06:f3:e1:9e
Improve this question
7
  • Thanks for feedback. I do actually have fellowship.local in the config file. The config I provided is supposed to be a generalised version so it would be easier for someone else to pick it up and use themselves. Sorry for confusion Commented Sep 22, 2017 at 10:19
  • Add a dump of the certificate (obfuscated) to your question. Create it with openssl x509 -noout -text -in <cert file>. Commented Sep 22, 2017 at 12:31
  • @garethTheRed, I have added the certificate local.cert.pem. I hope this is what you wanted Commented Sep 22, 2017 at 12:45
  • Thanks @garethTheRed for your feedback. I have tried changing the Common Name and removing basicConstraints = CA:FALSE and nsComment = "OpenSSL Generated Certificate" with no luck. The problem might be with the serial number. I am quite new to how SSL certificates work so I have been following some advise from a friend who said that for use on a local machine, it was easier to just reset serial and index.txt each time I need to add a domain, rather than worrying about revoking certificates. Do you think this could be the cause? Commented Sep 25, 2017 at 8:16
  • @garethTheRed I have created another certificate without resetting index and serial. As you can see, the serial number is now 2. I had to give it a new CN again, or I was getting failed to update database TXT_DB error number 2. This hasn't helped unfortunately. Commented Sep 25, 2017 at 13:17

1 Answer 1

Reset to default
3
+50

You are seeing this message because your certificate is a version 1 certificate but includes extensions (extensions were introduced in version 3 of the X.509 standard).

This seems to be a feature of the OpenSSL CA command. It will only set the version to 3 if it believes it has added an extension to the certificate. If it simply copies an extension from the request through to the certificate using the copy_extensions = copyall (or = copy) option, it seems to fail to spot that the generated certificate has an extension and marks it as version 1. I've raised a bug report for this (which was fixed in a matter of hours!).

Either recompile OpenSSL with the patch applied, or to work around this, define an extension section in your config file, but don't define any extensions within that section. Add a line to the [ CA_defaults ] section as follows:

x509_extensions = cert_ext

At the bottom of the file, define an empty cert_ext section:

[ cert_ext ]

Any certificates you now generate will be version 3 and Chrome 63 won't complain.

Note that you cannot downgrade to version 1 certificates (without extensions) as Chrome has stopped accepting hostnames in the Subject's commonName field (which is how they were defined in the absence of a Subject Alternate Names extensions) since Chrome version 58. Firefox, on the other hand, will quite happily work with version 1 certificates.

Improve this answer
1
  • Similar to unix.stackexchange.com/questions/371997/… except (1) I wasn't ambitious enough to file a bug and (2) even with v3 and SAN correct, a wildcard in .local still caused trouble -- this Q didn't ask for wildcard. Commented Sep 27, 2017 at 4:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.