Google chromes update to version 58 started invalidating my self signed certificates a few days ago. It was complaining about missing subjectAltNames
.
I did some research and tried a couple of suggestions (which wouldn't work) but then found this post, the only one that I could get working.
Or did I?
Yay chrome is now accepting my newly generated and imported certificates and I was on my way,
until, I hit a page in my PHP
web app that requires loading data from another micro web-service on the same dev machine.
stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:
I have been googling and tinkering with this for about 4 hours now and just cannot get my head around it.
Question
Why is chrome accepting my certificate. HOWEVER tools like curl
, openssl s_client
all giving me unable to verify the first certificate
or invalid certificate
? I have tried passing the certificate as a parameter and still apparently invalid.
Debugging with curl and openssl passing the certificate file as a parameter continues to give me this error
SSL certificate verify result: unable to get local issuer certificate (20),
I think Im gonna be completely bald by the end of the day.
Notes
The virtual machine is my local development environment so I do have multiple domains with their own cert and keys
VM sits on IP 192.168.33.10. meaning chrome is not accessing localhost. However curl and openssl s_clinet are trying to access locahost
Server is a VM running ubuntu 14.04
Installed self signed certificate on host machine with MMC (Microsofts management console)
Error is definitely coming from the client class trying to access a web-service.
I have tried passing the certificate as a parameter and still apparently invalid.
I am fully aware I can set verify peer to false or pass --insecure to the request but I don't learn anything from that.
SSL-Session: Protocol : TLSv1.2
ran
sudo dpkg-reconfigure ca-certificates
to update certshave run
sudo update_ca_ccertificates
I have reached frustration level 9000
Revert update
I regenerated a new certificate with v3 extension turned off and Back to chrome telling me subjectAltName
is missing but curl is working. I need to work out how to genrate certs that both curl and chrome will accept.