64

I setup ssl on localhost (wamp), I made the ssl crt with GnuWIn32.

When I try to login with fb in Chrome I get the following message:

URL:

https://localhost/ServerSide/fb-callback.php?code=.....#_=_

Error:

Your connection is not private.
Attackers might be trying to steal your information from localhost (for example, passwords, messages, or credit cards). NET::ERR_CERT_INVALID. localhost normally uses encryption to protect your information. When Chrome tried to connect to localhost this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be localhost, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chrome stopped the connection before any data was exchanged.

You cannot visit localhost right now because the website sent scrambled credentials that Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

My SSL Config:

Listen 443    
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5    
SSLPassPhraseDialog  builtin    
SSLSessionCache        "shmcb:c:/wamp/www/ssl/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300    
<VirtualHost *:443>    
DocumentRoot "c:/wamp/www"
ServerName localhost:443
ServerAdmin admin@example.com
ErrorLog "c:/wamp/logs/error.log"
TransferLog "c:/wamp/logs/access.log"
SSLEngine on
SSLCertificateFile "c:/wamp/www/ssl/ia.crt"
SSLCertificateKeyFile "c:/wamp/www/ssl/ia.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "c:/Apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>    
BrowserMatch "MSIE [2-5]"  nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog "c:/wamp/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

My question is how to setup valid SSL certificate on localhost? or do I need to edit my configuration?

WEBjuju
  • 5,797
  • 4
  • 27
  • 36
Ramo Toric
  • 710
  • 1
  • 5
  • 12

3 Answers3

153

Allow Insecure SSL (localhost)

In Chrome (including Version 116), enable allow insecure localhost:

chrome://flags/#allow-insecure-localhost

allow insecure localhost in chrome settings

Refer to this Stack Overflow for more information.

Allow Insecure SSL (other)

  1. See "Your connection is not private. blah-bla-blah"...
  2. Type thisisunsafe (key listeners pick it up).

Notes

If you are just curious if this works, browse this site which has a bad root ssl certificate. Other "bad ssl" sites can be found using badssl.com.

More about the chromium "override keyword":.

This is specific for each site.

The chrome developers also do change this periodically.

The current (v116) BYPASS_SEQUENCE is dGhpc2lzdW5zYWZl (which is base64 encoded).

WEBjuju
  • 5,797
  • 4
  • 27
  • 36
  • 2
    Any idea why this is happening? For me, angular server which was running on port number 4200 was previously working fine. It was only yesterday that I faced this issue for the first time. Any idea why that happened all in a sudden? – Romeo Sierra Jan 22 '20 at 05:16
  • @RomeoSierra when did you setup the ssl...yesterday? even if ssl had been setup previously, you may have been accessing the site via "http" not "https". – WEBjuju Jan 22 '20 at 15:47
  • Nop. I had SSL setup for long time now, as it is required for facebook signup. And when you host your development server for angular using `ng serve --ssl=true` you can't access over HTTP. – Romeo Sierra Jan 23 '20 at 04:17
  • @romeosierra dunno - if this fixes it, there you go. `why it broke` may be an opportunity to ask a new question. – WEBjuju Jan 23 '20 at 21:58
111

1. When you see "Your connection is not private...NET::ERR_CERT_INVALID" warning on Chrome,

2. Just type "thisisunsafe" and wait.

Note: Last time this was tested, Chrome latest version was 107.0.5304.107

Eddy
  • 5,320
  • 24
  • 40
Arda Basoglu
  • 1,420
  • 1
  • 12
  • 6
  • 8
    This actually works. I wish Chrome would just put something in devtools to address this, but at least this is something better than enabling a catch all flag. – James Nov 09 '20 at 23:11
  • 5
    Still working for Chrome Version 88.0.4324.96 – KlavierCat Jan 26 '21 at 15:22
  • 14
    Da hell? I was looking over my shoulder to make sure nobody was watching because I was going to be embarrassed I was gullible enough to try this. It actually works. – Aaronius Mar 04 '21 at 03:28
  • 1
    I have the accepted answer which was for "localhost" only. Typing this when you see the page (not into any input widget, just type it) will accept the insecure ssl cert for any domain. – WEBjuju May 17 '21 at 16:38
  • 3
    This solution is right out of some silly hacker movie :D and yet... it works. Checked in Chrome 96.0.4664.110. – p-syche Jan 04 '22 at 12:55
  • 1
    omg :) this is just like an easter egg. And it is still working for Edge Version 98.0.1108.51 – Alper Batıoğlu Feb 15 '22 at 16:40
  • 1
    Works in Edge 103 as well as of today. If you hadn't had so many upvotes, I'd have thought this was a joke – ItalyPaleAle Jul 02 '22 at 20:46
  • 1
    Man this was a life saver just tested this out in Version 103.0.5060.134 (Official Build) (arm64) Just like in movies haha – Charith Jayasanka Jul 25 '22 at 08:00
1
Your connection is not private
Attackers might be trying to steal your information from 10.10.10.10 (for example, passwords, messages or credit cards). Learn more
NET::ERR_CERT_INVALID

Type “badidea” or “thisisunsafe” directly on same chrome page.

Do this if you REALLY SURE about the link you are trying is safe. In my case I was trying to setup stackstorm locally using vagrant and virtualbox

Chrome version: Version 92.0.4515.131 (Official Build) (x86_64). Source

Shakeel
  • 1,869
  • 15
  • 23
  • 1
    'badidea' didn't work for me on Chrome Version 102.0.5005.115 (Official Build) (arm64), but 'thisisunsafe' does. – Raleigh L. Jul 14 '22 at 16:53
  • [As of Chrome 65 the keyword is `thisisunsafe`](https://stackoverflow.com/questions/35565278/ssl-localhost-privacy-error/41020281#answer-41020281). – WEBjuju Oct 26 '22 at 14:00