SSL issues (one resolved, one not)

DevKinsta Application Support
1

I’m having trouble running my local DevKinsta store with SSL enabled. This is on an Ubuntu 22.04 machine.

At first, I was unable to toggle the “HTTPS” switch; it would say “SSL update failed”. By searching through the community, I did discover a workaround to this problem. The issue was that I had no “~/.mozilla/firefox/” directory. Creating this directory by hand, then toggling the switch, worked. Everything was working great, until…

… some time later (either a few hours or next day), I tried to open the site in Chrome, and received a “NET:ERR_CERT_INVALID” error. Unlike most such errors from Chrome, I don’t have the option to click “Advanced” and then select “Proceed anyways”. I am stuck on the error screen and cannot access the store. The message says: “You cannot visit local-store.example.com right now because the website sent scrambled credentials that Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.”

I have tried toggling the HTTPS switch, and have tried turning the store off and on again. I did confirm that I can still access the site from other browsers, including firefox and curl. But Chrome appears to be stuck.

1 Like
3

Hello @Shaun_Dishman :wave:

Thank you for reaching us out here!

I had this similar issue in the past on the same Ubuntu 22.04 machine and shared a workaround in another thread here (that’s for the SSL/HTTPS issue related to “.mozilla/firefox” ),
and bellow that thread I also shared a solution related to the “NET::ERR_CERT_INVALID” error in the Chrome browser only (which seemed to happen on Chrome browser above version 111.0.5563.146-1 - and it’s not something that DevKinsta could control though) - while the HTTPS/SSL for the local sites worked fine on other browsers (like FireFox, even for the current/newest FireFox browser version).

You may want to check my previous replies there and see if that would help you too hopefully! :pray:

Best regards,
Agus Utomo

4

Agus,

Thanks for the response! I should have stated at the outset that I had already seen your other thread. But there are a couple of reasons why I didn’t pursue your workaround:

  1. My situation sounded a bit different from yours, in that yours seemed to be caused by a Chrome upgrade. I can confirm that no upgrade occurred between when my cert was working, and when it wasn’t. I had it working just fine in Chrome, and then a few hours later, it stopped working, with no change in-between.

  2. Downgrading Chrome is just not a viable option. Disconnecting from receiving auto-updates is a bad security posture and is not sustainable as a real solution. It works OK for a one-time hack/workaround, but not long-term. There needs to be a way to access my DevKinsta store using the latest versions of Chrome.

5

To the above point: I checked the Chrome release history, and versions prior to v111 were released over a year ago!

7

Hi there, I’m currently experiencing the same issue - any fixes on that side maybe?
Downgrading to 12 versions above is kind’a weird to be honest.

8

So one of the best solutions I found (and probably there is) would be to generate your own Certificate Authority (CA) and a signed certificate for your .local domain than authorize it in your chrome.

NOTE: BE SURE TO REPLACE yourdomain.local WITH YOUR ACTUAL DOMAIN

Steps:

  1. Backup Existing Certificates:
  • Execute: cp -r ~/DevKinsta/ssl ~/DevKinsta/ssl_backup
  1. Generate CA Key and Certificate:
  • Navigate to SSL directory: cd ~/DevKinsta/ssl
  • Generate CA key: openssl genrsa -out myCA.key 2048
  • Create CA certificate: openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
  1. Generate Domain Key and CSR:
  • Generate domain key: openssl genrsa -out yourdomain.local.key 2048
  • Create CSR: openssl req -new -key yourdomain.local.key -out yourdomain.local.csr
  1. Sign CSR with Your CA:
  • Sign CSR: openssl x509 -req -in yourdomain.local.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out yourdomain.local.crt -days 825 -sha256
  1. Import CA to Chrome:
  • Open Chrome and go to chrome://settings/certificates
  • Navigate to Authorities, click Import, and select myCA.pem
  • Follow prompts to trust the CA for identifying websites.
  1. Restart DevKinsta Docker:
  • Restart Chrome DevKinsta and Docker container to apply the new certificate.

Hope that’s useful

9

After I posted this, a teammate pointed out that Chrome has a hidden feature where you can key in “thisisunsafe” while focused on the ERR_CERT_INVALID page, and it will allow you to proceed.

Obviously we would never use this in a real environment, but I found this acceptable for our development/local systems as a workaround. So that’s what we’re doing for now.

Good idea about the local CA though; that’s definitely a more “correct” fix.

Though I am curious what the difference is between Chrome and the other browsers, in terms of considering the DevKinsta cert to be valid or not. It seems like the “best” fix is for DevKinsta to figure that out, and adjust their cert creation.

1 Like
10

We recently migrated to Kinsta, with one of the drawing factors being DevKinsta, but since day one I’ve been plagued by this issue.

The “solution” is really not a solution at all, as our IT dept manages our Chrome version, to keep it in line with security patches, we’re therefore unable to downgrade.

Kinsta need to fix this issue properly, rather than providing a workaround and calling it a solution.

From what I can see, this has been around as an issue for some time now, which isn’t particularly promising.