3

I'm a web developer and I use Ubuntu 18.04. My setup is nginx, php-fpm, mysql. I have multiple sites running on my machine e.g. site1.local, site2.local.

I followed this instruction to configure my local sites to use SSL: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04.

I managed to configure it successfully. But my problem is when I go to https://site1.local in google chrome, I see a warning message "Your connection is not private":

enter image description here

And I have to manually click "Advanced" and "Proceed to site1.local (unsafe)".

My goal is to remove this warning message and see my site immediately without this warning.

I already Enabled my chrome to Allow invalid certificates for resources loaded from localhost by going here chrome://flags/#allow-insecure-localhost

What should I do now?

aceraven777
  • 131

3 Answers3

5

Most web browsers nowadays always alert users when they visit websites without HTTPS. If those websites come with self-signed SSL certificates, they will display the "Your connection is not private", and the err code should be "NET::ERR_CERT_AUTHORITY_INVALID".

Purchase And Install Paid SSL Certificate

To avoid this issue on your website to improve user experience, you should install a well-known SSL certificate, such as the one you can purchase from Name.com, NameCheap.com or Godaddy.com. The cost is starting from $9/year or more, depending on the type of SSL certificates you purchase. But I think when covering one domain, this one from NameCheap.com is great.

Here is the step-by-step guide from NameCheap.com to tell users on how to install SSL certificate on NGINX. Check it out!

Obtain Free SSL Certificate From Let's Encrypt

If you do not want to spend money on these paid SSL certificates, you can try free one from Let's Encrypt. This is an organization that issues trusted SSL certificates to users for free.

This free SSL certificate is trusted by most major web browsers, so you will not confront the above-mentioned error anymore. Here are two articles I found to tell how to install Let's Encrypt SSL certificate for free with Certbot on NGINX and Ubuntu.

https://devanswers.co/lets-encrypt-ssl-cert-nginx-ubuntu-18-04/

https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx.html

I'm a web developer and I use Ubuntu 18.04. My setup is nginx, php-fpm, mysql. I have multiple sites running on my machine e.g. site1.local, site2.local.

One thing you should know that this type of SSL certificates is only capable of verifying for one domain. If you would like to use multiple domains, you need to install multiple times with different configurations. For example, if your website uses two domains running parallel: domain1.com and domain2.com, then you need to install two SSL certificates.

If you only install the SSL certificate for domain1.com, then when you load your website through domain2.com, you will get this "not private" error.

To diagnose issues when setting up SSL certificates on your website or find out about "Your connection is not private" error on your web browser, check out the following article.

Echo Diaz
  • 616
0

Use certificates signed by a ca that is included in Your browser/systems trust store.

Edit: on request of I add a way to create a ca-signed certificate including nowadays necessary default extensions with some quite default openssl 1.1.1 setup without needing to edit openssl.cnf and/or setup a "proper" ca.

Create a ca key and cert:

openssl genrsa -out ca.key 2048
openssl req -x509 -new -extensions v3_ca -key ca.key -days 3652 -out ca.crt -sha256 -subj "/C=CC/ST=Some State/L=Some City/O=Some Organisation/OU=Some Org Unit/CN=Some Chosen CA Name/emailAddress=someuser@some.domain.org"

Note 1: You may want to encrypt/passwordprotect the ca.key using the -aes256 option to genrsa command, otherwise a stolen ca.key could be used to sign certificates Your browser trusting Your ca trusts blindly
Note 2: You do not need to include that much information in subject, so for example -subj "/CN=Some Chosen CA Name" would be sufficent
Add the ca certificat (ca.crt) to Your browser or systems trust-store.

Create certiciates signed by Your ca:

openssl genrsa -out some-example.key 2048
openssl req -new -key some-example.key -sha256 -subj "/C=CC/ST=Some State/L=Some City/O=Some Organisation/OU=Some Org Unit/CN=*.local/emailAddress=someuser@some.domain.org" | openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -out some-example.crt -days 730 -sha256 -extfile <(echo -e 'basicConstraints=critical,CA:FALSE\nnsCertType=server\nnsComment="OpenSSL Generated Certificate for App Tests"\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid,issuer\nkeyUsage=critical,digitalSignature,keyEncipherment\nextendedKeyUsage=serverAuth\nsubjectAltName=DNS:*.local,DNS:local,DNS:*.testdomain,DNS:testdomain')

Note 1: You may not want/need to include the "Netscape" extensions (the line beginning with ns in generated extfile), it's a common OpenSSL default to include nsComment and also to hint setting nsCertType in config, but is not set in many certificates nowadays.
Note 2: modern client should only use the subjectAltName for subject-name verification, which means the CN in the certificates subject becomes informational and ALL names (or IPs, OIDs, ...) the certificatre shall be valid for shall go into subjectAltName. Also subjectAltName should be used even in case You want the vertificate to be valid for only a single name or address.
Note 3: You do not need to include that much information in subject, so for example -subj "/CN=Some App Test Certifciate" would be sufficent if client properly uses the SAN extension to verify subject.

This example certificate would be valid for Hostnames local, testdomain and all direct child names (i.e. app1.local, app2.local, app3.testdomain).
Of Course You can create the certificates or only for the single hostnames You want, as long as You use same ca.crt and ca.key the will all work in the browsers trusting ca.crt.

EOhm
  • 618
0

Chrome doesn't like self-signed certificates.

You have to import the certificate in Chrome as a root certificate.

xenoid
  • 10,597