ssl-config
ssl-config copied to clipboard
lightbend
Chrome on MacOS Catalina Throwing NET::ERR_CERT_REVOKED
Possibly related to https://support.apple.com/en-us/HT210176.
Subject: localhost
Issuer: localhost
Expires on: Sep 30, 2069
Current date: Oct 13, 2019
PEM encoded chain: -----BEGIN CERTIFICATE----- MIIDmzCCAoOgAwIBAgIJAMWdFd+lpixsMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD VQQGEwJDWTETMBEGA1UECBMKQ3liZXJzcGFjZTEaMBgGA1UEBxMRU1NMIENvbmZp ZyBCYXNlIDExEjAQBgNVBAoTCU1hdmVyaWNrczEjMCEGA1UECxMaVW5pdCBUZXN0 aW5nIChzZWxmLXNpZ25lZCkxEjAQBgNVBAMTCWxvY2FsaG9zdDAgFw0xOTEwMTQw MDExMDdaGA8yMDY5MTAwMTAwMTEwN1owgYsxCzAJBgNVBAYTAkNZMRMwEQYDVQQI EwpDeWJlcnNwYWNlMRowGAYDVQQHExFTU0wgQ29uZmlnIEJhc2UgMTESMBAGA1UE ChMJTWF2ZXJpY2tzMSMwIQYDVQQLExpVbml0IFRlc3RpbmcgKHNlbGYtc2lnbmVk KTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA10hr9AV6T5gQPmRkCJR/JNnBYSDZGcvhWxvaT+ca6BKEp2W+Oli9EynQ IJkVb3NbsJmQC3j7khhf7Z+7olof8zCddfSmukuewCqdqc+EAdEPkI09g8W2r4G1 OhEcfYcVAVT2PeeQjJcDCXMMrsGJeSPPikLTxmk1FfPFIWqoa9L3GucvM9tKTey/ cRCJovzQxnqowJR5To41uefQmHpsCQRzyyEfUoUUG8MSiPe9dt2W4sV2z3bAs1ml 7+ieYdSfpgcJdLI8rHi2LklDp4QgId5TpG/FW6Kq8hd0mxdi7q9qK9qiuQSj4nTt fIENRBKO+Uxav5ZRUPmZw1G2Ro74iwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBv Tf1OXfxAW+uYO/Re/9RSwf7PwhSAwoF1usD1KZ/Uw5pAAG9sV5jVQOTUxJ9Aa5/W bT6vDXs26UbuFJ/oBQn3U6ZXSR8TR3dra2gBtcbHmDS8wZEPu4/HO7AWjCnSz83f EReCTF7ohYNPvI6HI+mbuXgqZhZmpKcObv3oaAn7QTM1bUYExpzlu2duAdsm02v/ rPEGFGoGTmQjJ+FPMkwcsjLQTg+KO6Z/Ny1iAX3lxOQc/r2KD0wk0Yjvl/gGimAP gkgMDnfx4fTG7xsg/oUL6wDluwqCRur73bIilVM+t/EnoiyEL2X3SGIf6T12FuEv DdCaJ2jpK8YAMi6RUfMx -----END CERTIFICATE-----
This was observed with the Play Framework. The simplest way to reproduce the issue is:
- Run: sbt new playframework/play-scala-seed.g8
- Accept all of the defaults
- Change directory, cd play-scala-seed
- Run: sbt run -Dhttp.port=disabled -Dhttps.port=9443
- Browse to https://127.0.0.1:9443
- In Chrome on MacOS Catalina (10.15), observe "NET::ERR_CERT_REVOKED"
I should mention, the Chrome version: 77.0.3865.120 (Official Build) (64-bit)
Hi @arambau, the certificates ssl-config produces on-the-fly are self-signed and issued to localhost (not 127.0.0.1). Other than that, they already use 2048bit keys and SHA-2 family signatures.
On top of that, the issue you report is ERR_CERT_REVOKED instead of an error indicating it is self-signed (NET::ERR_CERT_AUTHORITY_INVALID) or for an invalid host (127.0.0.1 instead of localhost) so it looks like it was already blacklisted on your machine.
Can you clean your local target/ folder (where the temporal, on-the-fly certificates are stored) and try again?
Also, any extra information you can provide to help reproduce will be helpful.
PS: I'm also using Chrome 77.0.3865.120 (but not Catalina OSX)
That didn't seem to have any effect, however, setting the flag chrome://flags/#allow-insecure-localhost, did. Whatever the cause is with the self-signed certificate, it's Chrome that has the problem. Safari doesn't present the same problem. What's interesting is, if I present a self-signed certificate as localhost with the new Catalina restrictions <= 825 days of validity, Chrome has no problem with it. It throws the usual invalid warning, but allows me to proceed.
Just to give some history. All of these Play Framework sites worked fine last week before the Catalina and Chrome updates. Unfortunately, I don't know which broke it... or both.
For those looking for a workaround inside of Chrome without using Safari, after being presented the NET::ERR_CERT_REVOKED, type "thisisunsafe" on top of the page (your typed text will not show, but the page should refresh and bypass the error). (https://podtech.io/os/mac-osx/chrome-catalina-certificate-issue/).