CODEWITHSUNDEEP
google-chromessllocalhosthsts
nsilva
nsilva

Reputation: 5622

Google Chrome localhost | NET::ERR_CERT_AUTHORITY_INVALID

All of a sudden I seem to have an issue with Google Chrome using localhost.

I'm trying to access any of my development sites (using Ampps) and I get the following error:-

Your connection is not private Attackers might be trying to steal your information from website.dev (for example, passwords, messages or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID

When I visit any of the dev sites it is redirecting from http://website.dev to https://website.dev automatically. I'm not having any issue in Safari or Firefox so I don't understand what is going on.

I've tried re-installing Google Chrome, resetting it to the factory default settings...

I think it could be an issue with Keychain Access --> Certificates but wouldn't that mean it wouldn't work in Firefox and Safari if that was the case?

I've spent a while trying to find a solution but so far nothing has worked so I would appreciate some suggestions on how I can fix this. I can't even proceed passed this warning as I don't get the proceed link (insecure) as shown below:-

enter image description here

Upvotes: 78

Views: 94830

Answers (10)

jug
jug

Reputation: 451

In recent version of chrome :

Navigate to : chrome://flags/#unsafely-treat-insecure-origin-as-secure

Add in textbox : https://localhost

Upvotes: 0

Klemart3D
Klemart3D

Reputation: 348

Best solution is to not use .dev because it owned by Google. Here you can find an updated list of all claimed TLDs : https://www.rfc-editor.org/rfc/rfc6761

To be safe, choose an unclaimed TLD like .test or .localhost. You can read a useful blog post here : https://www.iyware.com/dont-use-dev-for-development/

Upvotes: 5

Matt Smith
Matt Smith

Reputation: 2665

This solution no longer works since Chrome v119

Navigate to chrome://flags/#allow-insecure-localhost and set this option to enabled:

Allow invalid certificates for resources loaded from localhost

Upvotes: 221

garik
garik

Reputation: 5756

In addtional to @Matt Smith answer we can use Chrome 119, but Chrome DEV version. Option chrome://flags/#allow-insecure-localhost presents in version for developer. It works perfectlly well.

Upvotes: 0

Eric Grotke
Eric Grotke

Reputation: 5145

One quick workaround for this is to just open a Chrome tab in incognito mode: Shift-CMD-N

Upvotes: 1

Noy Oliel
Noy Oliel

Reputation: 1696

In my case, in order to solve the issue so that I can "Proceed to unsafe", I needed to go to:

chrome://net-internals/#sockets

then click: "Close idle sockets", "Flush socket pools"

Afterwards go to:

chrome://net-internals/#dns

Then click "Clear host cache"

If it still doesn't work and you are a mac user, try to repeat above after removing localhost certificates using Apple's Keychain Access tool

Upvotes: 1

Girdhar Singh Rathore
Girdhar Singh Rathore

Reputation: 5615

you need to add remote site certificate to your local key store

  1. To download certificate from remote site, you will require keytool, open gitbash as admin and run below command to generate the certificate

    openssl s_client -showcerts -connect host:port

  2. save the value of above command to from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- to the .crt file.

  3. to add certificate to your local key store, run below command

    keytool -import -noprompt -trustcacerts -alias name_of_certificate -file "path_of_dot_crt_file" -keystore "C:\Program Files\Java\jdk1.8.0_192\jre\lib\security\cacerts" -storepass changeit

you can also add downloaded certificate to your browser.

Upvotes: 0

moonclearner
moonclearner

Reputation: 1

I got same bug, because the CRL file is out of date, and the solution is that update the crl file

Upvotes: 0

Mihail Ivanchev
Mihail Ivanchev

Reputation: 425

This is really annoying to deal with, but mapping the local website to something other than .dev (I personally use .devo) does work and fixes the problem in chrome. Also, you can add an exception for the page in Mozilla Firefox and not deal with this at all. It's only a problem on Chrome 63+

Upvotes: 7

curveball
curveball

Reputation: 4505

After playing around, I came up with one kind of a solution.

First, lets talk about the problem: the cause of this error is that both of us used a .dev domain for our local development. If you go here you will find out that root .dev domain is owned by Google and applying HSTS in Chrome they enforce https-redirect for this domain. Since we use .dev domains, we get redirected to https version and at the same time we don't have any actual certificates installed. So, we see this annoying error. If you go to chrome://net-internals/#hsts you can check your .dev domain and you will actually find out that

static_sts_domain: dev
static_upgrade_mode: FORCE_HTTPS
static_sts_include_subdomains: true

which confirms that HSTS is enforced on *.dev indeed. The policy type is static and, as I understand, it's kind of hard-coded to https-redirect .dev domains.

So, there are at least 2 ways - get and set up an actual certificate somehow or just use another (not .dev) root domain in httpd-vhosts.conf for your local development (also don't forget to update /etc/hosts and launch apache again). I went another root domain route and it solved this issue.

Upvotes: 38

Related Questions