Vvv: Invalid SSL certificate on all domains

Created on 17 Dec 2017 · 10Comments · Source: Varying-Vagrant-Vagrants/VVV

I have been at this for several hours and have not solved the issue. Hoping someone may have some insight and determine if this is just my issue or an issue with VVV.

I started up VVV yesterday and all domains give me the “Your connection is not private“ error in Chrome for all pages under https. I did not change any settings myself so I suspect it could be related to some update to Chrome or MacOS. VVV uses the “*.vvv.test” certificate which covers all the default domains such as:

*.wordpress-develop.test
*.wordpress.test
*.wordpress-develop.dev
*.wordpress.dev
*.vvv.dev
*.vvv.local
*.vvv.localhost
*.vvv.test

In the Mac Keychain I have marked *.vvv.test as trusted for all users but I still experience the error. But, it does have a different error code: NET::ERR_CERT_COMMON_NAME_INVALID.

After some investigating in the Chrome developer tools Security tab, I can see it is due to “Subject Alternative Name missing”. I am now looking into this to see if it may lead to a solution. Has anyone else experienced this? Found a solution? Can you replicate the issue? Here are the details of my set up:

MacOS: 10.12.6
Chrome: 63.0.3239.84
VVV: 2.1.0

This issue is also present in Firefox but appears to work in Safari.

wontfix

Source

spuddick

👍1

Most helpful comment

The self signed certificate that gets generated is more of a hack than a real feature, if I recall, it's something @jeremyfelt did for his own purposes in the earlier days of VVV. There is no guarantee that it will work.

Also keep in mind when using .dev there are additional restrictions imposed by Chrome

tomjn on 17 Dec 2017

👍2

All 10 comments

I've been having the same problem since last week running the latest chrome/ff. When I check Chrome Version 62 in browser stack, my site loads normally (and that's regardless of mac vs. PC)

ashley-hebler on 17 Dec 2017

Also keep in mind when using .dev there are additional restrictions imposed by Chrome

tomjn on 17 Dec 2017

👍2

I'm marking this as wontfix for now, I believe the ideal resolution is the removal of that self signed SSL certificate. Given that it changes on every version update, only applies to certain sites, and doesn't work reliably it doesn't make sense.

If you want HTTPS on VVV, create a certificate authority of your own, trust it, then generate certificates for personal use, modifying the sites nginx configs accordingly

tomjn on 17 Dec 2017

👍1

@tomjn what is the best route to "create a certificate authority of your own"?

I've tried creating the certs, pointing nginx to them, vagrant provision etc etc. doesn't work for me.

kcwoodfield on 8 Feb 2018

@tomjn what is the best route to "create a certificate authority of your own"?

There's no official or recommended way to do this at the moment, there's a knowledge gap that hasn't been filled/vetted. All I can say is that for custom SSL you'll want to setup an additional site, rather than using the sites that get provisioned by default

In addition, any documentation would need to cover how to make the browsers accept the certificates, they won't accept self signed by default

tomjn on 8 Feb 2018

@tomjn thank you for the quick reply.

I think based on the CHANGELOG item #583 I think we're going to reinstall.

kcwoodfield on 8 Feb 2018

I eventually got it working myself, but it was a challenge. I was not very knowledgeable with SSL certificates.

I have not tested this, but would an alternative solution simply be to rename your domain from website.dev to website.test? My understanding is that the .test TLD is recognized by browsers as testing websites. https pages are automatically validated.

Naturally this will involve updating a few settings in the DB/vvv-custom.yml file as well though. You can still access the VVV landing page through the IP address http://192.168.50.4/ if needed, as well as phpMyAdmin http://192.168.50.4/database-admin/ to make the DB changes.

spuddick on 9 Feb 2018

.test sites still need valid certificates, but .dev sites have special requirements above and beyond just an SSL certificates, with some security options forced to on by the browser itself

.test is protected by an RFC and is a standard, so it's never going to be bought by a search engine

Also, you can always access the dashboard via http://vvv.test

tomjn on 9 Feb 2018

ah, ok. Looks like I didn't quite understand how .test TLDs work.

spuddick on 9 Feb 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.