DevKinsta 2.8.0 SSL Certificate Not Valid

I’m finding that the certificate issued by the app is invalid in a couple of browsers. This started happening recently but what version of DevKinsta it was happening on first I’m not sure. I’m able to continue working locally with Safari.

Browser where invalid

  • Chrome 107.0.5304.87
  • Firefox 106.0.3

Browser where valid

  • Safari 16.0 (16614.1.25.9.10, 16614)

Actions taken:

  • I used this tool to check the PEM encoded chain and it returned Certificate is not valid.
  • I don’t if this helps (S&Gs) but I tried to add the PEM chain I’m seeing in the browser into /etc/ssl/cert.pem. I restarted the site but that didn’t seem to help.
  • Restarted DevKinsta
  • Turned off other Docker Containers and local envs.
  • Toggled the HTTPS setting ON/OFF on the Site Info page of the app

Is this an open issue currently or is there something else I can try?

Hardware:

  • Model Name: MacBook Pro
  • Model Identifier: MacBookPro16,2
  • Processor Name: Quad-Core Intel Core i7
  • Processor Speed: 2.3 GHz
  • Number of Processors: 1
  • Total Number of Cores: 4
  • L2 Cache (per Core): 512 KB
  • L3 Cache: 8 MB
  • Hyper-Threading Technology: Enabled
  • Memory: 16 GB
  • System Firmware Version: 1554.140.20.0.0 (iBridge: 18.16.14759.0.1,0)

WordPress

  • Version 5.9.3
  • PHP 7.4
  • Multisite

Simliar post: DevKinsta Version of Site Shows HTTPS "Not Secure" - Uh oh!

Recent Log output from devkinsta_nginx container:
2022/11/04 17:18:00 [warn] 1#1: the "http2_max_field_size" directive is obsolete, use the "large_client_header_buffers" directive instead in /etc/nginx/nginx.conf:16
2022/11/04 17:18:00 [warn] 1#1: the "http2_max_header_size" directive is obsolete, use the "large_client_header_buffers" directive instead in /etc/nginx/nginx.conf:17
2022/11/04 17:18:22 [warn] 1#1: the "http2_max_field_size" directive is obsolete, use the "large_client_header_buffers" directive instead in /etc/nginx/nginx.conf:16
2022/11/04 17:18:22 [warn] 1#1: the "http2_max_header_size" directive is obsolete, use the "large_client_header_buffers" directive instead in /etc/nginx/nginx.conf:17

Hi @sharpspring, thanks for reaching out. What is the full error? Does it look like this:

Is it just complaining that it’s a self-signed certificate or is it a different error code?

Same issue here. Similar setup, except for the processor which is an M1 Max. The error is:

NET::ERR_CERT_AUTHORITY_INVALID

Hi @dinu, thanks for sharing!
What error do you get within Firefox?
Also can you click on “Advanced” to proceed past that error?
Can you please share your OS and Browser versions as well?

Here is a potential solutions as well: macOS Catalina Chrome certificate error when browsing self signed sites – chrisdooks.com – a blog on virtually anything…

Hi @Kevin, thanks for the fast reply.

The certificate is already in Keychain with “Always Trust” selected.
I can skip the error by clicking Advanced > Proceed to test2.local (unsafe), but it was working fine by the end of last week, only today I noticed it.

I also use Local by Flywheel and I noticed that some sites are working, some are not working. The difference I noticed in the certificate in Keychain is this:

On Firefox it says MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

OS: macOS Monterey 12.6
Chrome: Version 106.0.5249.119 (Official Build) (arm64)
Firefox: 106.0.5 (64-bit)

Kevin, just confirming it’s the same issue as with user dinu

Firefox:

I also checked the cert in keychain and like dinu it’s already set to always trust

Thank you @dinu and @sharpspring.
Are you both on Monterey 12.6? Did either of you update to 12.6 right before the issues started? That’s my best guess right now but we’ll need to collect more data to be sure. I’ll ask our devs to review everything that is shared in this thread.

I will add that neither my Windows 10 or Windows 11 PCs are experiencing this, so it seems Mac specific for now.

Kevin,

I’m on Big Sur 11.6 and did not change versions before the issue started.

I’ve also found a workaround for Firefox

If you go to Firefox > Preferences > Privacy & Security you can add the server as an exception

Clicking View Certificates as seen in screenshot will allow you add the full domain name (including port value if different) as an exception which so far allows me to bypass the warning in browser.

1 Like

Thanks @sharpspring.
I’m at a loss here. We can’t blame the Chrome version since you aren’t all on the same one and it would only be an OS change if all of your OS’s received a security update automatically recently.

I’ll ask our developers to review again/see if we can reproduce this at all.

After reloading my Chrome it also displayed Version 107.0.5304.87 (Official Build) (arm64), although it was saying before that it was up to date with 106.0.5249.119 (Official Build) (arm64). I’m not sure if it was already updated in background and just not displaying the new version or not.

I haven’t updated macOS recently, and in System Report > Software > Installations the last auto update was a week before I noticed any issues.

1 Like

I also tried turning the site off in DevKinsta, turning off SSL and HTTPS, and deleting the cert from keychain. I then deleted the cookies from my Chrome browser. Finally I turned on SSL and afterwards the site itself both through the DevKinsta app. This did not work for me.

For Chrome users try this:

  1. When you see the Error screen with NET::ERR_CERT_INVALID, click anywhere on the background and type ‘thisisunsafe’ (without the quotes).
  2. Press Enter/Return.
  3. It should reload the page and display the site by doing this.
  4. Now look at the Not Secure message in the browser as seen here:

Screen Shot 2022-11-07 at 3.23.42 PM

“You have chosen to turn off security warnings for this site. Turn on warnings.”

This means you should be able to bypass the extra warning for now. If anything this helps alleviate my issues with self-signed certs in Chrome. Following the steps for Firefox in my last reply should help in that particular browser as well.

More info here: https://twitter.com/zairwolf/status/1196878125734486021

Chrome:
Version 107.0.5304.87 (Official Build) (x86_64)

1 Like

Kevin,

I think I’ll go ahead and mark my last reply as a solution as it solves my (OP) concern and seems to provide a viable work around for the time being. It still warrants investigation in my opinion because self-signed certs did not used to be an issue with either browser and Safari did not seem to bat an eye (it just loads like normal). Thanks for your help in troubleshooting this issue and to anyone reading this the solution here was to add the local domain as an exception to Firefox and Chrome. This may or may not be the best solution but it’s a path forward.

Thanks @sharpspring, so yes, something is definitely going on with self-signed certificates and MacOS.

Our developers can now reproduce the issue on Mac. They have the same recommendations regarding browser-level exceptions but are also researching alternatives that can be built into DevKinsta/our current process.

One other possibility they floated is that maybe there’s an issue with the expiration date of the self-signed certificates that’s setting of the security warning. Maybe sort of related to this: About upcoming limits on trusted certificates - Apple Support

Either way, we’ll keep investigating. Thank you for the time you put into troubleshooting and sharing your solutions!

FYI, this issue is also being experienced by users of Local and MAMP Pro:

2 Likes

There are multiple tickets on this, but i couldnt find an appropriate solution. So far I have successfully worked with the local version. For some reason now it is not allowing to open the page, due to a “insecure connection” when I open the local page through DevKinsta. Weird error for a local page to open in my eyes, so whats going on?

Thanks for a tip here.

Hi, @Mikyboy, the solution provided above might be the best for now DevKinsta 2.8.0 SSL Certificate Not Valid - #11 by sharpspring

I’m assuming you are on a Mac as this is affecting local sites on Macs/Chrome across all local dev platforms(not just DevKinsta). Our developers are still researching the issue to hopefully have a fix(if one is possible), for the next release of DevKinsta.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.