68

All of a sudden I seem to have an issue with Google Chrome using localhost.

I'm trying to access any of my development sites (using Ampps) and I get the following error:-

Your connection is not private Attackers might be trying to steal your information from website.dev (for example, passwords, messages or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID

When I visit any of the dev sites it is redirecting from http://website.dev to https://website.dev automatically. I'm not having any issue in Safari or Firefox so I don't understand what is going on.

I've tried re-installing Google Chrome, resetting it to the factory default settings...

I think it could be an issue with Keychain Access --> Certificates but wouldn't that mean it wouldn't work in Firefox and Safari if that was the case?

I've spent a while trying to find a solution but so far nothing has worked so I would appreciate some suggestions on how I can fix this. I can't even proceed passed this warning as I don't get the proceed link (insecure) as shown below:-

enter image description here

quotesBro
  • 6,030
  • 2
  • 31
  • 41
nsilva
  • 5,184
  • 16
  • 66
  • 108
  • 2
    hi! Exactly the same problem here. Any progress? The curious thing is that everything was fine, for example, yesterday and is total wreck today. I suspect that Chrome got updated (63.0.3239.84 now on my PC). I read several articles/posts on the web and tried clearing cache, reinstalling Chrome, deleting HSTS policies for domains, accessing w/ and w/o https. – curveball Dec 07 '17 at 22:28
  • 1
    @curveball I thought I was going crazy. I tested this on a completely different install on another computer and it worked fine, but I didn't think it would be related to the .dev and I was testing it with .localhost! It literally happened overnight so it must be Chrome. Thanks a bunch, Google, for messing up several days of work trying to figure this stupid problem out. Why would they set .dev to forced SSL?? – Alison Dec 12 '17 at 20:58
  • @Alison you are welcome! Yes, this trouble emerged just out of the blue. I am not proficient enough to list solid reasons as to why they did it. It revolves around "https everywhere" idea. Maybe, they wanted to add this feature so badly that they just made it in a hurry overnight. While the message they show in Chrome is totally truthful ("your connection is not private"), it is very puzzling as well since there are several different causes leading to the same message and the real cause of such behavior is kinda hidden. I myself have tried several advices before getting to the gist. – curveball Dec 12 '17 at 21:37
  • 3
    Reason of this: [Chrome 63 forces .dev domains to HTTPS via preloaded HSTS](https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/) (well explained) – quotesBro Dec 16 '17 at 10:05
  • I had the excact same issue during development and there was no way chrome let me bypass this warning (button was hidden): If you are not able to click the button which will let you enter the website (in my case my application on localhost) you can simply type in thisisunsafe and you are good to go. Source: https://medium.com/@dblazeski/chrome-bypass-net-err-cert-invalid-for-development-daefae43eb12 – Big Dude Oct 02 '20 at 06:10

8 Answers8

195

Navigate to

chrome://flags/#allow-insecure-localhost

and set this to enabled.

enter image description here

Matt Smith
  • 2,385
  • 2
  • 15
  • 14
37

After playing around, I came up with one kind of a solution.

First, lets talk about the problem: the cause of this error is that both of us used a .dev domain for our local development. If you go here you will find out that root .dev domain is owned by Google and applying HSTS in Chrome they enforce https-redirect for this domain. Since we use .dev domains, we get redirected to https version and at the same time we don't have any actual certificates installed. So, we see this annoying error. If you go to chrome://net-internals/#hsts you can check your .dev domain and you will actually find out that

static_sts_domain: dev
static_upgrade_mode: FORCE_HTTPS
static_sts_include_subdomains: true

which confirms that HSTS is enforced on *.dev indeed. The policy type is static and, as I understand, it's kind of hard-coded to https-redirect .dev domains.

So, there are at least 2 ways - get and set up an actual certificate somehow or just use another (not .dev) root domain in httpd-vhosts.conf for your local development (also don't forget to update /etc/hosts and launch apache again). I went another root domain route and it solved this issue.

curveball
  • 4,320
  • 15
  • 39
  • 49
  • 2
    Thanks for the explanation @curveball - Is this a new thing because I've been using .dev for all my domains for the passed two years and never had any issue like this before. It's working with .dev on my laptop still but not on my iMac. They are both running the same version OS and version of Chrome – nsilva Dec 08 '17 at 11:25
  • As I understand, it is not a brand new idea although I have come across this issue just for the first time too. I think that what is new is that this story with hsts became the default behavior in chrome. Besides, the list of domains like .dev that require redirect to https version is growing. – curveball Dec 08 '17 at 11:36
  • Thanks again @curveball - so going forward just use 'test' instead of 'test.dev' or we can use something else like test.yourcompanyname? (as long as it's something that is not already used) – nsilva Dec 11 '17 at 13:51
  • hi! I switched to example.site, i.e. now I use 'example.site' instead of 'example.dev'. But you can try anything suitable for you. BTW, '.test' sounds like a good substitute for '.dev'. Maybe, 'example.test' (assuming '.test' doesn't behave like '.dev' in Chrome)? – curveball Dec 11 '17 at 14:08
  • 1
    Thank you so much because this was driving me crazy and I didn't even think it could be related to the .dev. I did see the static_upgrade_mode: FORCE_HTTPS setting and for some reason didn't associate it with that particular domain extension. On my Chrome I can't even get around it; it's just an error page with none of the usual "unsafe site" stuff. Honestly I think this should be reported as a bug, or at least a warning would have been nice. Do they not realise how many of us use .dev as a localhost option? lol. – Alison Dec 12 '17 at 21:04
  • So is the fix to just use .test or .somethingnotused or has anyone found a workaround to get it working with .dev? – nsilva Dec 13 '17 at 11:42
  • @nsilva Yes. Using '.test' (.site, .mydev etc.) is the simplest and fastest way to get back to the normality. As I understand, you can also try to set up a real certificate locally if it worth it so that you will locally have `httpS://yoursite.dev`. Otherwise, it seems there is no way to avoid redirect for `*.dev` since such behaviour is hard-coded in Chrome (at least as of now, maybe they will turn it off by default or make this policy dynamic in the future releases). – curveball Dec 13 '17 at 11:50
6

This is really annoying to deal with, but mapping the local website to something other than .dev (I personally use .devo) does work and fixes the problem in chrome. Also, you can add an exception for the page in Mozilla Firefox and not deal with this at all. It's only a problem on Chrome 63+

Mihail Ivanchev
  • 403
  • 6
  • 22
  • 3
    It seems this is working without the '.dev' but it's strange that this has been working with .dev for all my localhost domains for the past two years and all of a sudden it has stopped working just on Chrome – nsilva Dec 08 '17 at 11:14
  • I've been also using .dev for the past two years and it suddenly stopped working. This is what worked for me. Thanks. – Tarek K. Ajaj Dec 18 '17 at 07:30
  • This answer seems more like an comment to me. This will not provide any help to feature viewers on this question and they will not have any use in your answer. Can you update your answer with explanations etc – Tomm Dec 20 '17 at 07:58
  • Sure thing. Edited my answer. Hope it helps more people. – Mihail Ivanchev Dec 20 '17 at 11:18
  • `you can add an exception for the page in Mozilla Firefox` How do you do this? – Brady Dowling Aug 20 '20 at 14:31
4

Best solution is to not use .dev because it owned by Google. Here you can find an updated list of all claimed TLDs : https://www.rfc-editor.org/rfc/rfc6761

To be safe, choose an unclaimed TLD like .test or .localhost. You can read a useful blog post here : https://iyware.com/dont-use-dev-for-development/

Community
  • 1
  • 1
Klemart3D
  • 180
  • 9
0

I got same bug, because the CRL file is out of date, and the solution is that update the crl file

moonclearner
  • 1
  • 1
0

you need to add remote site certificate to your local key store

  1. To download certificate from remote site, you will require keytool, open gitbash as admin and run below command to generate the certificate

    openssl s_client -showcerts -connect host:port

  2. save the value of above command to from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- to the .crt file.

  3. to add certificate to your local key store, run below command

    keytool -import -noprompt -trustcacerts -alias name_of_certificate -file "path_of_dot_crt_file" -keystore "C:\Program Files\Java\jdk1.8.0_192\jre\lib\security\cacerts" -storepass changeit

you can also add downloaded certificate to your browser.

Girdhar Singh Rathore
  • 5,030
  • 7
  • 49
  • 67
-1

In my case, in order to solve the issue so that I can "Proceed to unsafe", I needed to go to:

chrome://net-internals/#sockets

then click: "Close idle sockets", "Flush socket pools"

Afterwards go to:

chrome://net-internals/#dns

Then click "Clear host cache"

If it still doesn't work and you are a mac user, try to repeat above after removing localhost certificates using Apple's Keychain Access tool

Noy Oliel
  • 1,430
  • 3
  • 13
  • 26
-1

One quick workaround for this is to just open a Chrome tab in incognito mode: Shift-CMD-N

Eric Grotke
  • 4,651
  • 3
  • 21
  • 19