Google Chrome and Firefox do not trust certificates
enverarslan opened this issue · 0 comments
I am using this package very long time, last afternoon (4th November 2022 18:07 UTC+3) Google Chrome started to giving SSL certificate errors on my development sites.
Environment:
Windows 10 (64 bit): 19043.2130
valet-windows: 2.1.5
Google Chrome: 107.0.5304.88
Mozilla Firefox: 106.0.5
Problem
I checked certificate expiration, it's fine. So I checked site on Microsoft Edge, its successfully loaded.
Google chrome gives NET::ERR_CERT_INVALID
error and does not allow to proceed with error.
After that, I installed Mozilla Firefox and tested site. This gave me another error code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
Research
I researched the problem and found possible solution.
See https://bugzilla.mozilla.org/show_bug.cgi?id=1034124 and specifically this answer:
Looks like that certificate has a basicConstraints extension with the value cA: TRUE. We stopped allowing CA certificates to act as end-entity certificates. That certificate should be regenerated without the basicConstraints extension.
This is also explained at https://wiki.mozilla.org/SecurityEngineering/x509Certs
Error Code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
What It Means: A certificate with a basic constraints extension with cA:TRUE is being used as an end-entity certificate
What Can I Do: Re-generate the end-entity certificate without the basic constraints extension
Related:
- https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
- parcel-bundler/parcel#3398
- https://wiki.mozilla.org/SecurityEngineering/x509Certs#Self_Signed_Certs
- https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html#Basic-Constraints
Solution
I add basicConstraints CA:false
extension when createSigningRequest
on here: https://github.com/cretueusebiu/valet-windows/blob/2.1.5/cli/Valet/Site.php#L334
$x509->setExtension('id-ce-basicConstraints', ['CA'=>false]);
But I do not sure this is correct solution.
Can you give any explanation for why is this happened and why now? I think browser updates triggered this problem but browsers have CA checking for a long time.