-
-
Notifications
You must be signed in to change notification settings - Fork 644
Regenerate included self-signed SSL certificate with less than 825 day validity period #2001
Comments
@timwood I've been using workaround Ansible tasks on Ubuntu 18.04 for this for a while, this should also allow the server to make HTTPS requests to itself without having to accept invalid certificates. It should cover all of the tighter certificate requirements, which I believe are also going to impact software beyond MacOS in time. The tasks below should be self-explanatory as to what they are doing. The script which is modified has the 10 year period hard coded within it. While this is not a proper fix for the issue, it has resolved the issue for my requirements. It also leads to a certificate which is wildcarded for subdomains of It needs to go into the location referred to by ---
# This is a gross way of handling this, but given that it's for a dev environment,
# time/benefit trade off, and grossness of current workaround...
- name: Set hostnames for snakeoil certificate, and alter extendedKeyUsage.
lineinfile:
path: /usr/share/ssl-cert/ssleay.cnf
regexp: "{{ item.regex }}"
line: "{{ item.line }}"
with_items:
- { regex: '^commonName', line: "commonName = {{ vagrant_hostname }}" }
- { regex: '^subjectAltName', line: "subjectAltName = DNS:{{ vagrant_hostname }},DNS:*.{{ vagrant_hostname }},IP:{{ vagrant_ip }}" }
- { regex: '^extendedKeyUsage', line: "extendedKeyUsage = serverAuth" }
- name: Modify script to reduce validity period to 2 years.
replace:
path: /usr/sbin/make-ssl-cert
regexp: '(.*)-days \d+(.*)'
replace: '\1-days 730\2'
- name: Regenerate snakeoil certificate.
command: /usr/sbin/make-ssl-cert generate-default-snakeoil --force-overwrite
notify:
- restart webserver
- restart postfix
- name: Regenerate the certificate store.
command: /usr/sbin/update-ca-certificates --fresh |
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! Please read this blog post to see the reasons why I mark issues as stale. |
This is still valuable information. |
This issue is no longer marked for closure. |
@joestewart - I believe the SSL cert that's created was set up by the OS itself, and that Drupal VM's automation doesn't actually do any of the work in generating a cert... is this something that might benefit more from some documentation? Or I guess maybe we could touch it up in a new task include—as I see @phizev's solution modifies the snakeoil cert to work with the right time period. One annoying thing as that the solution is specific to Ubuntu, and I don't believe it would work out of the box with Debian or CentOS. |
Not Mac-specific, so removing that label. |
I really like @phizev 's solution. It works super solid on every project of mine. |
Issue Type
Your Environment
Your OS
Summary
Make sure DrupalVM self-signed SSL certificate meets latest Apple MacOS requirements/constraints from Catalina (https://superuser.com/a/1492657). Catalina now requires that SSL certificates issued after 7/1/2019 include the following constraints:
I'm pretty sure my issue is due to the validity period going till 2029, much longer than 825 days, but I didn't know how to check for the other constraint listed above. The error Chrome throws is
NET::ERR_CERT_REVOKED
and it doesn't allow you to pass the certificate error screen with an exclusion. But the typingthisisunsafe
trick works.The text was updated successfully, but these errors were encountered: