I’m finding that the certificate issued by the app is invalid in a couple of browsers. This started happening recently but what version of DevKinsta it was happening on first I’m not sure. I’m able to continue working locally with Safari.
Browser where invalid
Chrome 107.0.5304.87
Firefox 106.0.3
Browser where valid
Safari 16.0 (16614.1.25.9.10, 16614)
Actions taken:
I used this tool to check the PEM encoded chain and it returned Certificate is not valid.
I don’t if this helps (S&Gs) but I tried to add the PEM chain I’m seeing in the browser into /etc/ssl/cert.pem. I restarted the site but that didn’t seem to help.
Restarted DevKinsta
Turned off other Docker Containers and local envs.
Toggled the HTTPS setting ON/OFF on the Site Info page of the app
Is this an open issue currently or is there something else I can try?
Hardware:
Model Name: MacBook Pro
Model Identifier: MacBookPro16,2
Processor Name: Quad-Core Intel Core i7
Processor Speed: 2.3 GHz
Number of Processors: 1
Total Number of Cores: 4
L2 Cache (per Core): 512 KB
L3 Cache: 8 MB
Hyper-Threading Technology: Enabled
Memory: 16 GB
System Firmware Version: 1554.140.20.0.0 (iBridge: 18.16.14759.0.1,0)
Recent Log output from devkinsta_nginx container: 2022/11/04 17:18:00 [warn] 1#1: the "http2_max_field_size" directive is obsolete, use the "large_client_header_buffers" directive instead in /etc/nginx/nginx.conf:16 2022/11/04 17:18:00 [warn] 1#1: the "http2_max_header_size" directive is obsolete, use the "large_client_header_buffers" directive instead in /etc/nginx/nginx.conf:17 2022/11/04 17:18:22 [warn] 1#1: the "http2_max_field_size" directive is obsolete, use the "large_client_header_buffers" directive instead in /etc/nginx/nginx.conf:16 2022/11/04 17:18:22 [warn] 1#1: the "http2_max_header_size" directive is obsolete, use the "large_client_header_buffers" directive instead in /etc/nginx/nginx.conf:17
Hi @dinu, thanks for sharing!
What error do you get within Firefox?
Also can you click on “Advanced” to proceed past that error?
Can you please share your OS and Browser versions as well?
The certificate is already in Keychain with “Always Trust” selected.
I can skip the error by clicking Advanced > Proceed to test2.local (unsafe), but it was working fine by the end of last week, only today I noticed it.
I also use Local by Flywheel and I noticed that some sites are working, some are not working. The difference I noticed in the certificate in Keychain is this:
Thank you @dinu and @sharpspring.
Are you both on Monterey 12.6? Did either of you update to 12.6 right before the issues started? That’s my best guess right now but we’ll need to collect more data to be sure. I’ll ask our devs to review everything that is shared in this thread.
I will add that neither my Windows 10 or Windows 11 PCs are experiencing this, so it seems Mac specific for now.
Clicking View Certificates as seen in screenshot will allow you add the full domain name (including port value if different) as an exception which so far allows me to bypass the warning in browser.
Thanks @sharpspring.
I’m at a loss here. We can’t blame the Chrome version since you aren’t all on the same one and it would only be an OS change if all of your OS’s received a security update automatically recently.
I’ll ask our developers to review again/see if we can reproduce this at all.
After reloading my Chrome it also displayed Version 107.0.5304.87 (Official Build) (arm64), although it was saying before that it was up to date with 106.0.5249.119 (Official Build) (arm64). I’m not sure if it was already updated in background and just not displaying the new version or not.
I haven’t updated macOS recently, and in System Report > Software > Installations the last auto update was a week before I noticed any issues.
I also tried turning the site off in DevKinsta, turning off SSL and HTTPS, and deleting the cert from keychain. I then deleted the cookies from my Chrome browser. Finally I turned on SSL and afterwards the site itself both through the DevKinsta app. This did not work for me.
For Chrome users try this:
When you see the Error screen with NET::ERR_CERT_INVALID, click anywhere on the background and type ‘thisisunsafe’ (without the quotes).
Press Enter/Return.
It should reload the page and display the site by doing this.
Now look at the Not Secure message in the browser as seen here:
“You have chosen to turn off security warnings for this site. Turn on warnings.”
This means you should be able to bypass the extra warning for now. If anything this helps alleviate my issues with self-signed certs in Chrome. Following the steps for Firefox in my last reply should help in that particular browser as well.
I think I’ll go ahead and mark my last reply as a solution as it solves my (OP) concern and seems to provide a viable work around for the time being. It still warrants investigation in my opinion because self-signed certs did not used to be an issue with either browser and Safari did not seem to bat an eye (it just loads like normal). Thanks for your help in troubleshooting this issue and to anyone reading this the solution here was to add the local domain as an exception to Firefox and Chrome. This may or may not be the best solution but it’s a path forward.
Thanks @sharpspring, so yes, something is definitely going on with self-signed certificates and MacOS.
Our developers can now reproduce the issue on Mac. They have the same recommendations regarding browser-level exceptions but are also researching alternatives that can be built into DevKinsta/our current process.
One other possibility they floated is that maybe there’s an issue with the expiration date of the self-signed certificates that’s setting of the security warning. Maybe sort of related to this: About upcoming limits on trusted certificates - Apple Support
Either way, we’ll keep investigating. Thank you for the time you put into troubleshooting and sharing your solutions!
There are multiple tickets on this, but i couldnt find an appropriate solution. So far I have successfully worked with the local version. For some reason now it is not allowing to open the page, due to a “insecure connection” when I open the local page through DevKinsta. Weird error for a local page to open in my eyes, so whats going on?
I’m assuming you are on a Mac as this is affecting local sites on Macs/Chrome across all local dev platforms(not just DevKinsta). Our developers are still researching the issue to hopefully have a fix(if one is possible), for the next release of DevKinsta.
