How to get https certificate working on local Laravel Homestead site
Solution 1
Unfortunately, I don't have an easy way of checking it on Windows, so I'm going to use VirtualBox running on Linux here. Install vagrant
, then:
$ vagrant box add laravel/homestead
$ git clone https://github.com/laravel/homestead.git
$ cd homestead
$ git checkout v7.3.0
$ bash init.sh
I've simplified Homestead.yaml
a bit (you might prefer to stick with the defaults):
---
ip: "192.168.10.10"
provider: virtualbox
folders:
- map: /home/yuri/_/la1
to: /home/vagrant/code
sites:
- map: homestead.test
to: /home/vagrant/code/public
Then:
$ mkdir -p ~/_/la1/public
$ echo '<?php echo "it works";' > ~/_/la1/public/index.php
$ vagrant up
$ vagrant ssh -c 'ls /etc/nginx/sites-enabled'
homestead.test
$ vagrant ssh -c 'cat /etc/nginx/sites-enabled/homestead.test'
server {
listen 80;
listen 443 ssl http2;
server_name .homestead.test;
root "/home/vagrant/code/public";
...
ssl_certificate /etc/nginx/ssl/homestead.test.crt;
ssl_certificate_key /etc/nginx/ssl/homestead.test.key;
}
As we can see it has the certificates in /etc/nginx/ssl
:
$ vagrant ssh -c 'ls -1 /etc/nginx/ssl'
ca.homestead.homestead.cnf
ca.homestead.homestead.crt
ca.homestead.homestead.key
ca.srl
homestead.test.cnf
homestead.test.crt
homestead.test.csr
homestead.test.key
I tried to trust server certificate systemwide, but it didn't work out. It appeared on Servers tab in Firefox' Certificate Manager, but that didn't make Firefox trust it. I could probably have added an exception, but trusting CA certificates looks like a better option. Trusting CA certificate makes browser trust any certificate they issue (new sites running under Homestead). So we're going to go with CA certificate here:
$ vagrant ssh -c 'cat /etc/nginx/ssl/ca.homestead.homestead.crt' > ca.homestead.homestead.crt
$ sudo trust anchor ca.homestead.homestead.crt
$ trust list | head -n 5
pkcs11:id=%4c%f9%25%11%e5%8d%ad%5c%2a%f3%63%b6%9e%53%c4%70%fa%90%4d%77;type=cert
type: certificate
label: Homestead homestead Root CA
trust: anchor
category: authority
Then, I've added 192.168.10.10 homestead.test
to /etc/hosts
, restarted Chromium, and it worked:
P.S. I'm running Chromium 65.0.3325.162, and Firefox 59.0.
Windows
Apparently, Windows doesn't have trust
utility. Under Windows one has two stores: Local Machine and Current User Certificate stores. No point in using Local Machine Certificate Store, since we're making it work just for our current user. Then, there are substores. With two predefined of them being of most interest: Trusted Root Certification Authorities and Intermediate Certification Authorities Stores. Commonly referred in command line as root and CA.
You can access Chrome's Certificate Manager by following chrome://settings/?search=Manage%20certificates, then clicking Manage certificates. Of most interest are Trusted Root Certification Authorities and Intermediate Certification Authorities tabs.
One way to manager certificates is via command line:
>rem list Current User > Trusted Root Certification Authorities store
>certutil.exe -store -user root
>rem list Local Machine > Intermediate Certification Authorities store
>certutil.exe -store -enterprise CA
>rem GUI version of -store command
>certutil.exe -viewstore -user CA
>rem add certificate to Current User > Trusted Root Certification Authorities store
>certutil.exe -addstore -user root path\to\file.crt
>rem delete certificate from Current User > Trusted Root Certification Authorities store by serial number
>certutil.exe -delstore -user root 03259fa1
>rem GUI version of -delstore command
>certutil.exe -viewdelstore -user CA
The results are as follows (for both Local Machine and Current User Certificate stores):
root
homestead.test.crt
error
ca.homestead.homestead.crt
appears in Trusted Root Certification Authorities tab
CA
homestead.test.crt
doesn't work, appears in Other People tab
ca.homestead.homestead.crt
doesn't work, appears in Intermediate Certification Authorities tab
Other options would be double-clicking on a certificate in Explorer, importing certificates from Chrome's Certificate Manager, using Certificates MMC Snap-in (run certmgr.msc
), or using CertMgr.exe
.
For those who have grep
installed, here's how to quickly check where is the certificate:
>certutil.exe -store -user root | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -user CA | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -enterprise root | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -enterprise CA | grep "homestead\|^root\|^CA"
So, installing CA certificate into Current User > Trusted Root Certification Authorities store seems like the best option. And make sure not to forget to restart your browser.
more in-depth explanation of how it works
In Vagrantfile
it requires scripts/homestead.rb
, then runs Homestead.configure
. That's the method, that configures vagrant
to make all the needed preparations.
There we can see:
if settings.include? 'sites'
settings["sites"].each do |site|
# Create SSL certificate
config.vm.provision "shell" do |s|
s.name = "Creating Certificate: " + site["map"]
s.path = scriptDir + "/create-certificate.sh"
s.args = [site["map"]]
end
...
config.vm.provision "shell" do |s|
...
s.path = scriptDir + "/serve-#{type}.sh"
...
end
...
end
end
So, these two files create certificate and nginx
config respectively.
further reading
How to make browser trust localhost SSL certificate?
Solution 2
Apparently you have to add your cert to the Trusted CA store. I let it auto decide and that did not work. Also I added it to my personal store which also did not work.
So the steps are (if you are on windows) is to hit your windows key and type in "Internet Options" and open well your internet options. Then click the "content" tab. From here click on "certificates" which is the middle button.
Then click Import and Next. Browse to where you saved the cert.
Then click "Place all certificates in the following store" and click browse and select the "Trusted Root Certificate Authorities".
And you should get a popup asking you to confirm and warning you and all that jazz.
And then make sure you restart your browser. On chrome you can type this into the URL bar: chrome://restart
. Boom I hoped this helped you!
Related videos on Youtube
![Ryan](https://i.stack.imgur.com/BxOOa.jpg?s=256&g=1)
Ryan
https://ryancwalsh.com/resume Princeton graduate with more than 17 years of leadership roles in software engineering, product management, and both entrepreneurial and enterprise web development.
Updated on July 09, 2022Comments
-
Ryan almost 2 years
I'm getting this problem:
The error that I'm seeing in Windows 10 Chrome Version 65.0.3325.181 (Official Build) (64-bit) is:
Your connection is not private
Attackers might be trying to steal your information from ((mysite)) (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID
This page is not secure (broken HTTPS).
Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).
Firefox Quantum 59.0.2 (64-bit) says:
Your connection is not secure
The owner of ((mysite)) has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
Connection is Not Secure
Could not verify this certificate because the issuer is unknown.
I have already tried: https://stackoverflow.com/a/47755133/470749
vboxmanage --version 5.2.6r120293 vagrant -v Vagrant 2.0.2 git branch * (HEAD detached at v7.3.0) vagrant box list laravel/homestead (virtualbox, 5.2.0) vagrant box update ==> vboxHomestead: Checking for updates to 'laravel/homestead' vboxHomestead: Latest installed version: 5.2.0 vboxHomestead: Version constraints: >= 5.2.0 vboxHomestead: Provider: virtualbox ==> vboxHomestead: Box 'laravel/homestead' (v5.2.0) is running the latest version.
I wonder if this means that I'm not yet using release 7.1.0 (which has in its changelog "sign SSL certificates with a custom root certificate"), and I wonder if that's why I have this SSL HTTPS problem.
What are the next steps I should try now to get the certificate working?
-
Ryan over 6 yearsHomestead 5.1.0 seems to be the latest available here: app.vagrantup.com/laravel/boxes/homestead. I'm very confused. What is the 7.1.2 referring to?
-
x-yuri about 6 yearsCan you provide us with output from
echo | openssl s_client -connect localhost:443 -servername localhost
? Additionally, output ofecho | openssl s_client -connect localhost:443 -servername localhost | openssl x509 -text -noout
may come in handy. Correct domain and port if needed. -
Ryan about 6 years@x-yuri Yes, but the output is long. What should I be looking for?
echo | openssl s_client -connect kvb.test:443 -servername kvb.test CONNECTED(000001A0) --- Certificate chain 0 s:/O=Vagrant/C=UN/CN=kvb.test i:/O=Vagrant/C=UN/CN=Homestead vboxHomestead Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIE7TCCA (... and much more...)
-
x-yuri about 6 years"What should I be looking for?" Not sure yet. Can you create a gist with the output and give me a link to it? Or use some pastebin?
-
-
Ryan about 6 yearsI think I have tried #1 (but am not 100% sure what steps you are recommending) and am unclear about the steps for #2, too.
-
Ryan about 6 yearsIt's great to see a screenshot of the green lock next to
https://homestead.test
in your address bar. However, the only relevant steps are to first copy/etc/nginx/ssl/ca.homestead.homestead.crt
from my Homestead Vagrant box into a path that is reachable on Windows and then run an equivalent ofsudo trust anchor ca.homestead.homestead.crt
. So this is where I'm stuck now: -
Ryan about 6 yearsWhen I run Windows Command Prompt as an admin and try to run that
trust anchor
command, I get this error:p11-kit: couldn't complete writing file: C:/Program Files/Git/mingw64/etc/pki/ca-trust/source\Homestead_vboxHomestead_Root_CA.p11-kit: No such file or directory p11-kit: couldn't create object: The operation failed
-
Ryan about 6 yearsAhh, we might be getting closer. I ran
certutil -addstore -enterprise -f "Root" ca.homestead.vboxHomestead.crt
from a Windows Command Prompt as Admin, and now Chrome's error is different:This page is not secure (broken HTTPS). Resources - active content with certificate errors You have recently allowed content loaded with certificate errors (such as scripts or iframes) to run on this site.
-
x-yuri about 6 years@Ryan Try to make use of
CertMgr
.CertMgr /s /r localMachine
,CertMgr /s /r currentUser
to list certificates.CertMgr /add homestead.test.crt /s /r currentUser root
to add a certificate. More info. Not sure if browsers consult those stores though. Most likely, if they do you'll find the CA certificate under Authorities tab of browser's Certificate Manager. -
Ryan about 6 yearsI'll award the bounty because of your effort (especially your screenshot of the green lock, which gave me hope that it was possible). I think ultimately the steps I was missing were: use Windows Command Prompt as Admin to run
certutil -addstore -enterprise -f "Root" ca.homestead.vboxHomestead.crt
. Then it still didn't work, but I went to lunch, and when I returned and woke my computer up, it worked. It's working for my local site even though I'm using a URL that uses the xip.io service. I'm excited. Perhaps the only remaining challenge: how to get other devices (eg iPhone) to trust the cert. -
Ryan about 6 yearssuperuser.com/a/1032179/74576 helped me learn about
certutil
, and stackoverflow.com/a/46390363/470749 helped me when I got the "Active content with certificate errors" error. -
x-yuri about 6 years@Ryan I've added a section about Windows, consider accepting the answer.
-
Radmation almost 6 yearsI agree with @Ryan in regards to step #1. I have tried adding the certificate manually but it still is not showing the green icon.
-
Md Abdulla Al Mamun Nayon about 3 yearsThis gist is useful too.