FiloSottile
Root certificate no longer applicable for leaf certificates in MacOS 26.1
Environment
- MacOS 26.1
- mkcert version (from
mkcert -version): 1.4.4 - Server (where the certificate is loaded): Nitro 2.12.9, Vite 7.1.12
- Client (e.g. browser, CLI tool, or script): All MacOS browsers
What you did
Updated to MacOS 26.1 None of my local dev certificates work. They all worked before the update.
mkcert -uninstall
mkcert -install
Open keychain access and ensure mkcert root is Always Trusted
mkcert testsite.wip
yarn dev -o
This opens browser and normally would take me to https://testsite.wip (or whatever hostname I've set) without any SSL error.
What went wrong
Since updating to MacOS 26.1 all my browsers report a certificate error - net::ERR_CERT_AUTHORITY_INVALID
"This server could not prove that it is testsite.wip; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection."
openssl s_client -connect testsite.wip:3000 -servername testsite.wip -showcerts </dev/null | openssl x509 -noout -text | sed -n '1,120p'
this reports:
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
The issue for me ends up being with the Nuxt server (vite/nitro). It no longer respects passing the certs through the command line - instead I need to set a nuxt.config.ts configuration:
devServer: {
https: {
key: './test.local-key.pem',
cert: './test.local.pem',
},
},
Then my package.json has the "dev" script as:
"dev": "NODE_TLS_REJECT_UNAUTHORIZED=0 nuxt dev --host test.local --https"
This seems to be working and is, so far, the only solution I have found.