Update Auto-Generated SSL Certificates


  • | 589 points

    Currently, if you import the certificate generated by laragon you will get the following error in Chrome because it is missing the Subject Alternative Name:

    NET::ERR_CERT_COMMON_NAME_INVALID

    Below I have included the command and the openssl.cnf file to fix this issue.

    • Replace URL in openssl.cnf and the command below

    openssl.cnf

    [ req ]

    default_bits = 2048
    default_keyfile = server-key.pem
    distinguished_name = subject
    req_extensions = req_ext
    x509_extensions = x509_ext
    string_mask = utf8only

    [ subject ]

    countryName = Country Name (2 letter code)
    countryName_default = SG

    stateOrProvinceName = State or Province Name (full name)
    stateOrProvinceName_default = Singapore

    localityName = Locality Name (eg, city)
    localityName_default = Singapore

    organizationName = Organization Name (eg, company)
    organizationName_default = Laragon

    commonName = Common Name (e.g. server FQDN or YOUR name)
    commonName_default = URL.dev

    emailAddress = Email Address
    emailAddress_default = example@URL.dev

    [ x509_ext ]

    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid,issuer

    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment
    subjectAltName = @alternate_names
    nsComment = "OpenSSL Generated Certificate"

    [ req_ext ]

    subjectKeyIdentifier = hash

    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment
    subjectAltName = @alternate_names
    nsComment = "OpenSSL Generated Certificate"

    [ alternate_names ]

    DNS.1 = URL.dev

    Command

    openssl req -config openssl.cnf -new -sha256 -newkey rsa:2048 -nodes -keyout URL.dev.key -x509 -days 365 -out URL.dev.crt -subj "/C=SG/ST=Singapore/L=Singapore/O=Laragon/OU=IT/CN=URL.dev"

    Would it be possible to update the Auto-Generated SSL Certificates to include the Subject Alternative Name?


  • administrators
    | 72911 points

    @YummyTofu : I'll check and get back to you soon.


  • | 124 points

    Hi, I've also written a bash script to renew all the domain certificates SAN fields using OpenSSL. It's written for windows but if you comment out two lines (the certutil lines to update the certificates in the windows certificate store) then I think it should work with linux OSes too.

    https://gist.github.com/tpaksu/1a1c893bf23d3abc6ded45039bbe21d2

    1. copy this file to laragon/etc/ssl directory where the certificates reside.
    2. Navigate to laragon/etc/ssl
    3. run it
    4. restart apache & nginx

  • | 121 points

    Thanks @YummyTofu and @tpaksu for the workaround. Hopefully this issue will be fully resolved in the next release.


  • | 1292 points

    Make a file bat name makeCERT.bat

    @echo off
    
    REM IN YOUR SSL FOLDER, SAVE THIS FILE AS: makeCERT.bat
    REM AT COMMAND LINE IN YOUR SSL FOLDER, RUN: makecert
    REM IT WILL CREATE THESE FILES: example.cnf, example.crt, example.key
    REM IMPORT THE .crt FILE INTO CHROME Trusted Root Certification Authorities
    REM REMEMBER TO RESTART APACHE OR NGINX AFTER YOU CONFIGURE FOR THESE FILES
    
    REM PLEASE UPDATE THE FOLLOWING VARIABLES FOR YOUR NEEDS.
    SET HOSTNAME=domain
    REM DOT= com DOT= dev DOT= test DOT= it
    SET DOT=com
    SET COUNTRY=UK
    SET STATE=WY
    SET CITY=Halifax
    SET ORGANIZATION=IT
    SET ORGANIZATION_UNIT=IT Department
    SET EMAIL=administrator@%HOSTNAME%.%DOT%
    
    (
    echo [req]
    echo default_bits = 2048
    echo prompt = no
    echo default_md = sha256
    echo x509_extensions = v3_req
    echo distinguished_name = dn
    echo:
    echo [dn]
    echo C = %COUNTRY%
    echo ST = %STATE%
    echo L = %CITY%
    echo O = %ORGANIZATION%
    echo OU = %ORGANIZATION_UNIT%
    echo emailAddress = %EMAIL%
    echo CN = %HOSTNAME%.%DOT%
    echo:
    echo [v3_req]
    echo subjectAltName = @alt_names
    echo:
    echo [alt_names]
    echo DNS.1 = *.%HOSTNAME%.%DOT%
    echo DNS.2 = %HOSTNAME%.%DOT%
    )>%HOSTNAME%.%DOT%.cnf
    
    openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %HOSTNAME%.%DOT%.key -days 3560 -out %HOSTNAME%.%DOT%.crt -config %HOSTNAME%.%DOT%.cnf
    sh
    

    it will generate the follow files
    domain.test.key
    domain.test.cnf
    domain.test.crt

    and replace the originals and enjoin

    i did forgot need to add on chrome on certification setting

    i did found this code on the internet it not my.


  • | 4166 points

    @kaxias Here is the original gist.


  • | 4166 points

    @kaxias
    The script you provided does assume that the meta-data info is never changed.
    Instead you can use my solution, which is interactive and gives you flexibility to provide your own info without even needing to edit the .bat file.

    👍


  • | 1292 points

    REM PLEASE UPDATE THE FOLLOWING VARIABLES FOR YOUR NEEDS.
    SET HOSTNAME=domain
    REM DOT= com DOT= dev DOT= test DOT= it
    SET DOT=com
    SET COUNTRY=UK
    SET STATE=WY
    SET CITY=Halifax
    SET ORGANIZATION=IT
    SET ORGANIZATION_UNIT=IT Department
    SET EMAIL=administrator@%HOSTNAME%.%DOT%
    

    here you can change your info


  • | 159 points

    @kaxias , @bantya
    None of them worked though. Still showing this chrome error.

    NET::ERR_CERT_AUTHORITY_INVALID

    This server could not prove that it is gulp.oo; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.


  • | 1292 points

    After you generate the certificates. Go to you browser certification setting remove any old certificate and added the new certificates close all tabs and browsers reopen the browser go the https address you did create.

    Sorry for my bad English.


  • | 44 points


  • | 1292 points

    @Joshua-Siagian

    How that will help solve the problem?


  • | 159 points

    Did not notice the replies here.

    @Joshua-Siagian, thank you for your time helping me, unfortunately I already checked that page before I got here.

    @kaxias, It works when I tried closing and opening browsers, haha! Damn, should have done it few days ago. Happy now that I have https while developing locally! ye!


Log in to reply
 

Looks like your connection to Laragon was lost, please wait while we try to reconnect.