Update Auto-Generated SSL Certificates
-
Currently, if you import the certificate generated by laragon you will get the following error in Chrome because it is missing the Subject Alternative Name:
NET::ERR_CERT_COMMON_NAME_INVALID
Below I have included the command and the openssl.cnf file to fix this issue.
- Replace URL in openssl.cnf and the command below
openssl.cnf
[ req ]
default_bits = 2048
default_keyfile = server-key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = SG
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Singapore
localityName = Locality Name (eg, city)
localityName_default = Singapore
organizationName = Organization Name (eg, company)
organizationName_default = Laragon
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = URL.dev
emailAddress = Email Address
emailAddress_default = example@URL.dev
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ alternate_names ]
DNS.1 = URL.dev
Command
openssl req -config openssl.cnf -new -sha256 -newkey rsa:2048 -nodes -keyout URL.dev.key -x509 -days 365 -out URL.dev.crt -subj "/C=SG/ST=Singapore/L=Singapore/O=Laragon/OU=IT/CN=URL.dev"
Would it be possible to update the Auto-Generated SSL Certificates to include the Subject Alternative Name?
-
@YummyTofu : I'll check and get back to you soon.
-
Hi, I've also written a bash script to renew all the domain certificates SAN fields using OpenSSL. It's written for windows but if you comment out two lines (the certutil lines to update the certificates in the windows certificate store) then I think it should work with linux OSes too.
https://gist.github.com/tpaksu/1a1c893bf23d3abc6ded45039bbe21d2
- copy this file to laragon/etc/ssl directory where the certificates reside.
- Navigate to laragon/etc/ssl
- run it
- restart apache & nginx
-
Thanks @YummyTofu and @tpaksu for the workaround. Hopefully this issue will be fully resolved in the next release.
-
Make a file bat name makeCERT.bat
@echo off REM IN YOUR SSL FOLDER, SAVE THIS FILE AS: makeCERT.bat REM AT COMMAND LINE IN YOUR SSL FOLDER, RUN: makecert REM IT WILL CREATE THESE FILES: example.cnf, example.crt, example.key REM IMPORT THE .crt FILE INTO CHROME Trusted Root Certification Authorities REM REMEMBER TO RESTART APACHE OR NGINX AFTER YOU CONFIGURE FOR THESE FILES REM PLEASE UPDATE THE FOLLOWING VARIABLES FOR YOUR NEEDS. SET HOSTNAME=domain REM DOT= com DOT= dev DOT= test DOT= it SET DOT=com SET COUNTRY=UK SET STATE=WY SET CITY=Halifax SET ORGANIZATION=IT SET ORGANIZATION_UNIT=IT Department SET EMAIL=administrator@%HOSTNAME%.%DOT% ( echo [req] echo default_bits = 2048 echo prompt = no echo default_md = sha256 echo x509_extensions = v3_req echo distinguished_name = dn echo: echo [dn] echo C = %COUNTRY% echo ST = %STATE% echo L = %CITY% echo O = %ORGANIZATION% echo OU = %ORGANIZATION_UNIT% echo emailAddress = %EMAIL% echo CN = %HOSTNAME%.%DOT% echo: echo [v3_req] echo subjectAltName = @alt_names echo: echo [alt_names] echo DNS.1 = *.%HOSTNAME%.%DOT% echo DNS.2 = %HOSTNAME%.%DOT% )>%HOSTNAME%.%DOT%.cnf openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %HOSTNAME%.%DOT%.key -days 3560 -out %HOSTNAME%.%DOT%.crt -config %HOSTNAME%.%DOT%.cnf sh
it will generate the follow files
domain.test.key
domain.test.cnf
domain.test.crtand replace the originals and enjoin
i did forgot need to add on chrome on certification setting
i did found this code on the internet it not my.
-
-
@kaxias
The script you provided does assume that the meta-data info is never changed.
Instead you can use my solution, which is interactive and gives you flexibility to provide your own info without even needing to edit the .bat file.👍
-
REM PLEASE UPDATE THE FOLLOWING VARIABLES FOR YOUR NEEDS. SET HOSTNAME=domain REM DOT= com DOT= dev DOT= test DOT= it SET DOT=com SET COUNTRY=UK SET STATE=WY SET CITY=Halifax SET ORGANIZATION=IT SET ORGANIZATION_UNIT=IT Department SET EMAIL=administrator@%HOSTNAME%.%DOT%
here you can change your info
-
@kaxias , @bantya
None of them worked though. Still showing this chrome error.NET::ERR_CERT_AUTHORITY_INVALID
This server could not prove that it is gulp.oo; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.
-
After you generate the certificates. Go to you browser certification setting remove any old certificate and added the new certificates close all tabs and browsers reopen the browser go the https address you did create.
Sorry for my bad English.
-
this maybe will solve ur issue and save ur time
https://forum.laragon.org/topic/767/what-domain-are-you-using-for-development?page=1
-
How that will help solve the problem?
-
Did not notice the replies here.
@Joshua-Siagian, thank you for your time helping me, unfortunately I already checked that page before I got here.
@kaxias, It works when I tried closing and opening browsers, haha! Damn, should have done it few days ago. Happy now that I have https while developing locally! ye!