Self signed no longer work locally?

B

BonBon Slick2021-07-05 13:23:17

Google Chrome

BonBon Slick, 2021-07-05 13:23:17

Tried

sudo openssl req -x509 -newkey rsa:4096 -x509 -sha256  -keyout domain.com.key -out domain.com.pem -days 3650 -nodes
Generating a RSA private key
....................................................++++
............................................................................................................................++++
writing new private key to 'localdomain.com.key'
-----
You are about to be asked to enter information that will be incorporated
...
-----
Country Name (2 letter code) [AU]:ua
State or Province Name (full name) [Some-State]:kh***
Locality Name (eg, city) []:***
Organization Name (eg, company) [Internet Widgits Pty Ltd]:localdomain co
Organizational Unit Name (eg, section) []:localdomain
Common Name (e.g. server FQDN or YOUR name) []:localdomain.com
Email Address []:***

It doesn't matter what the output format is, one .pem or .perm + .key, .key + .crt now produces both in chrome and in mozila FF
NOT SECURED
Naturally, .pem and .crt certificates are added manually to Authorities, nginx and browser restart.
And nevertheless, it gives out all the time
Your connection is not private

This page is not secure (broken HTTPS).

Certificate - Subject Alternative Name missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_COMMON_NAME_INVALID).

Connection - secure connection settings
The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with X25519, and AES_256_GCM.
Resources - all served securely
All resources on this page are served securely.

Note https://chrome/flags/#allow-insecure-localhost is enabled in chrome but not working, 0 effect.

openssl
configs /etc/ssl/localcerts/domains.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = domain.loc
DNS.3 =domain.com
DNS.4 = api.domain.com

The domain is specified in hosts 127.0.0.1 domain.com
nginx resolves it with certificates under the names ssl_cert domain.com.pem and the key domain.com.key where CM (common name) is specified in domain.loc, in the ssl configs this domain is also shown . In the Authorities of the browser, you can see who issued it and where, that is, it was issued for a site with the domain.com domain, but when called from this address, the certificate says that ERR_CERT_COMMON_NAME_INVALID , some kind of nonsense. Nginx reads configs and certificates correctly, this can be seen in the details of the certificate.
It feels like the browser can't read the imported Authorities and check against what nginx is using.

server {
#       listen 8181;
#       listen [::]:8181;

        listen 443 ssl;
        listen [::]:443 ssl;

        ssl on;
        ssl_certificate /etc/ssl/localcerts/domain.com.pem;
        ssl_certificate_key /etc/ssl/localcerts/domain.com.key;

        root /var/www/domain/dist;
        index index.html index.htm;

        server_name domain.com;

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

B

BonBon Slick, 2021-09-20
@BonBonSlick

https://qna.habr.com/q/1049518 additional description and steps to a solution.

A

Alexey Yarkov, 2021-07-05
@yarkov

I generate certificates to work locally using mkcert and everything works.

A

acwartz, 2021-07-05
@acwartz

My apache script.
Create a subfolder in the apache build root. Put the .bat script
above there should be a bin folder with openssl.exe libeay32.dll ssleay32.dll inside, openssl.cnf in the same place
Depending on the OpenSLL version, the dll names may be different, resp. kill them in a batch file so that the script can use a workable openssl.exe
In the script, specify the target domain name in DOMAIN_NAME, as well as the IP address of your machine on the network in LAN_IP.
Write your data to the argument for -subj.
The script will copy the binaries by itself, create all the keys itself, register the certificate in the personal storage and clear the DNS cache.
Specify in http.conf the key and certificate server.ssl./.key that the script will put in ./conf/
Profit. Firepower has its own certificate store, it seems like, I didn’t test it with it. With chrome 100% works both locally and for everyone who connects to you via local network.

@echo off
title SSL Self-signed gen.
SET DOMAIN_NAME=dev14.local.in
SET HOSTSFILE=%windir%\System32\drivers\etc\hosts
SET LAN_IP=127.0.0.1
SET APACHE_SSL_FILE=..\conf\server.ssl.crt
SET APACHE_SSL_KEY_FILE=..\conf\server.ssl.key
SET SSL_STORE=ROOT

echo Getting OpenSSL from appache bin...
copy ..\bin\libeay32.dll .\libeay32.dll
copy ..\bin\openssl.exe .\openssl.exe
copy ..\bin\ssleay32.dll .\ssleay32.dll
copy ..\conf\openssl.cnf .\openssl.cnf

rem ald domain names 
echo [SAN] >> .\openssl.cnf
echo subjectAltName=DNS:localhost,DNS:%DOMAIN_NAME%,DNS:%LAN_IP% >> .\openssl.cnf

echo Generating certificate for domain is "%DOMAIN_NAME%"

for /F "tokens=3" %%s in ('certutil -dump %APACHE_SSL_FILE% ^| findstr ^"^^Serial^"') do (
   certutil -user -delstore "%SSL_STORE%" %%s
)

del .\server.key /f /q
del .\server.crt /f /q
del .\.rnd /f /q
openssl req -config openssl.cnf -x509 -newkey rsa:2048 -keyout server.key -out server.crt -days 3650 -nodes -subj "/C=NULL/ST=NULL/L=NULL/O=NULL/OU=NULL/CN=%DOMAIN_NAME%" -reqexts SAN -extensions SAN 
echo Copying keys "\server.ssl.crt" and "\server.ssl.kay" to .\conf\

copy .\server.crt %APACHE_SSL_FILE% /y
copy .\server.key %APACHE_SSL_KEY_FILE% /y

certutil -addstore -f "%SSL_STORE%" %APACHE_SSL_FILE%


echo 127.0.0.1 %DOMAIN_NAME% >> %HOSTSFILE%
echo %LAN_IP% %DOMAIN_NAME% >> %HOSTSFILE%

ipconfig /flushdns 

:EOF
pause