Update Auto-Generated SSL Certificates

YummyTofu

Currently, if you import the certificate generated by laragon you will get the following error in Chrome because it is missing the Subject Alternative Name:

NET::ERR_CERT_COMMON_NAME_INVALID

Below I have included the command and the openssl.cnf file to fix this issue.

Replace URL in openssl.cnf and the command below

openssl.cnf

[ req ]

default_bits = 2048
default_keyfile = server-key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only

[ subject ]

countryName = Country Name (2 letter code)
countryName_default = SG

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Singapore

localityName = Locality Name (eg, city)
localityName_default = Singapore

organizationName = Organization Name (eg, company)
organizationName_default = Laragon

commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = URL.dev

emailAddress = Email Address
emailAddress_default = example@URL.dev

[ x509_ext ]

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"

[ req_ext ]

subjectKeyIdentifier = hash

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"

[ alternate_names ]

DNS.1 = URL.dev

Command

openssl req -config openssl.cnf -new -sha256 -newkey rsa:2048 -nodes -keyout URL.dev.key -x509 -days 365 -out URL.dev.crt -subj "/C=SG/ST=Singapore/L=Singapore/O=Laragon/OU=IT/CN=URL.dev"

Would it be possible to update the Auto-Generated SSL Certificates to include the Subject Alternative Name?

leokhoa

@YummyTofu : I'll check and get back to you soon.

tpaksu

Hi, I've also written a bash script to renew all the domain certificates SAN fields using OpenSSL. It's written for windows but if you comment out two lines (the certutil lines to update the certificates in the windows certificate store) then I think it should work with linux OSes too.

https://gist.github.com/tpaksu/1a1c893bf23d3abc6ded45039bbe21d2

copy this file to laragon/etc/ssl directory where the certificates reside.
Navigate to laragon/etc/ssl
run it
restart apache & nginx

KevM

Thanks @YummyTofu and @tpaksu for the workaround. Hopefully this issue will be fully resolved in the next release.

kaxias

Make a file bat name makeCERT.bat

@echo off

REM IN YOUR SSL FOLDER, SAVE THIS FILE AS: makeCERT.bat
REM AT COMMAND LINE IN YOUR SSL FOLDER, RUN: makecert
REM IT WILL CREATE THESE FILES: example.cnf, example.crt, example.key
REM IMPORT THE .crt FILE INTO CHROME Trusted Root Certification Authorities
REM REMEMBER TO RESTART APACHE OR NGINX AFTER YOU CONFIGURE FOR THESE FILES

REM PLEASE UPDATE THE FOLLOWING VARIABLES FOR YOUR NEEDS.
SET HOSTNAME=domain
REM DOT= com DOT= dev DOT= test DOT= it
SET DOT=com
SET COUNTRY=UK
SET STATE=WY
SET CITY=Halifax
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET EMAIL=administrator@%HOSTNAME%.%DOT%

(
echo [req]
echo default_bits = 2048
echo prompt = no
echo default_md = sha256
echo x509_extensions = v3_req
echo distinguished_name = dn
echo:
echo [dn]
echo C = %COUNTRY%
echo ST = %STATE%
echo L = %CITY%
echo O = %ORGANIZATION%
echo OU = %ORGANIZATION_UNIT%
echo emailAddress = %EMAIL%
echo CN = %HOSTNAME%.%DOT%
echo:
echo [v3_req]
echo subjectAltName = @alt_names
echo:
echo [alt_names]
echo DNS.1 = *.%HOSTNAME%.%DOT%
echo DNS.2 = %HOSTNAME%.%DOT%
)>%HOSTNAME%.%DOT%.cnf

openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %HOSTNAME%.%DOT%.key -days 3560 -out %HOSTNAME%.%DOT%.crt -config %HOSTNAME%.%DOT%.cnf
sh

it will generate the follow files
domain.test.key
domain.test.cnf
domain.test.crt

and replace the originals and enjoin

i did forgot need to add on chrome on certification setting

i did found this code on the internet it not my.

bantya

@kaxias Here is the original gist.

bantya

@kaxias
The script you provided does assume that the meta-data info is never changed.
Instead you can use my solution, which is interactive and gives you flexibility to provide your own info without even needing to edit the .bat file.

👍

kaxias

REM PLEASE UPDATE THE FOLLOWING VARIABLES FOR YOUR NEEDS.
SET HOSTNAME=domain
REM DOT= com DOT= dev DOT= test DOT= it
SET DOT=com
SET COUNTRY=UK
SET STATE=WY
SET CITY=Halifax
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET EMAIL=administrator@%HOSTNAME%.%DOT%

here you can change your info

Wesley Brian Lachenal

@kaxias , @bantya
None of them worked though. Still showing this chrome error.

NET::ERR_CERT_AUTHORITY_INVALID

This server could not prove that it is gulp.oo; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

kaxias

After you generate the certificates. Go to you browser certification setting remove any old certificate and added the new certificates close all tabs and browsers reopen the browser go the https address you did create.

Sorry for my bad English.

Joshua Siagian

@Wesley-Brian-Lachenal

this maybe will solve ur issue and save ur time
https://forum.laragon.org/topic/767/what-domain-are-you-using-for-development?page=1

kaxias

@Joshua-Siagian

How that will help solve the problem?

Wesley Brian Lachenal

Did not notice the replies here.

@Joshua-Siagian, thank you for your time helping me, unfortunately I already checked that page before I got here.

@kaxias, It works when I tried closing and opening browsers, haha! Damn, should have done it few days ago. Happy now that I have https while developing locally! ye!