Chrome (or Firefox) redirects to HTTPS on local dev sites

No comments

Since December 2017 it is not possible to use popular .dev and other similar sites locally for development without a little magic. Chrome redirects all of these sites on its own to https and does extra good verification. More information about it in here https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/

Now its a time to change all local dev sites or even better make these sites HTTPS certs valid. I have been missing for long local dev sites with valid certificates. Since I do a lot of API integrations programming and I do not want to add exceptions in development that do not check the certificate. Better is to have local sites similar to production.

At first I was looking at some GUI-s like tinyCA and gnoMint but these did not do exactly what I wanted. Instead I found great tutorial of how to do it on commandline from https://ram.k0a1a.net/self-signed_https_cert_after_chrome_58

In short the process contains 4 parts. a) create CA b) import this ca into browsers and OS c) create config files for generating certificates for server d) generate server certificate. After that it is as simple as installing the certificate to your vhost and all is good.

Part a) create CA

# openssl genrsa -out server_rootCA.key 2048
# openssl req -x509 -new -nodes -key server_rootCA.key -sha256 -days 3650 -out server_rootCA.pem

Keep this CA private key in a secure place!!

Part b) import this ca into browsers and OS
In Ubuntu you can import it to OS with these commands:

# cp server_rootCA.pem /usr/local/share/ca-certificates/
# update-ca-certificates

For browsers look into their settings and under Certificates should be something like Authorities where you see import button. Import the CA certificate authority certificate and all good with this browser.

Part c) Create config files for generating certificates for server

Create 2 files server_rootCA.csr.cnf and v3.cnf. Change eat-that-google.dev to be your desired domain name.

server_rootCA.csr.cnf

[req]
default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn

[dn]
C=EE ST=Tartu L=Tartu O=Riia OU=local_RootCA emailAddress=margus.pala@gmail.com CN = eat-that-google.dev

v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = eat-that-google.dev
Part d) generate server certificate

Now generate your server certificates with these commands

# openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server_rootCA.csr.cnf )
# openssl x509 -req -in server.csr -CA server_rootCA.pem -CAkey server_rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext

For each new domain change the domain in config files and generate the private key server.key and public key server.crt

Leave a Reply

Your email address will not be published. Required fields are marked *