Using secure proxies with Google Chrome

linux google-chrome proxy https chromium

7,598

Maybe try importing that certificate into your system's certificate store and trust it. Chrome uses the OS to validate the security certificate.

I think it is very understandable that Chrome gives you an error instead a warning when the proxy's certificate is invalid because the proxy feature is probably implemented as a transparent add-on to its networking components. Requiring an additional UI to confirm the certificate of the proxy does not seem to be a useful feature.

The following steps will do the trick:

Generate the key and the certificate:

openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -subj "/CN=localhost" -out req.pem
openssl x509 -req -days 30 -in req.pem -signkey key.pem -out cert.pem

Note that the only mandatory field is CN (CommonName) and must be the same domain of the one of the proxy.

Add the certificate to the system database using certutil (from package libnss3-tools in Debian):
```
certutil -d "sql:$HOME/.pki/nssdb" -A -n dummy -i cert.pem -t C
```
dummy is just a nickname and can be anything, but make sure to provide the -t C option.

7,598

cYrus

Updated on September 18, 2022

Comments

cYrus over 1 year
Whenever I use a secure proxy with Google Chrome I get ERR_PROXY_CERTIFICATE_INVALID, I tried a lot of different scenarios and versions.

The certificate

I'm using a self-signed certificate:
```
openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -out request.pem
openssl x509 -req -days 30 -in request.pem -signkey key.pem -out certificate.pem
```
Note: this certificate works (with a warning since it's self-signed) when I try to setup a simple HTTPS server.

The proxy

Then I start a secure proxy on localhost:8080. There are a several ways to accomplish this, I tried:
- a custom Node.js script;
- stunnel;
- node-spdyproxy (OK, this involves SPDY too, but later... the problem is the same);
- [...]
The browser

Then I run Google Chrome with:
```
google-chrome --proxy-server=https://localhost:8080 http://superuser.com
```
to load, say, http://superuser.com.

The issue

All I get is:
```
Error 136 (net::ERR_PROXY_CERTIFICATE_INVALID): Unknown error.
```
in the window, and something like:
```
[13633:13639:1017/182333:ERROR:cert_verify_proc_nss.cc(790)] CERT_PKIXVerifyCert for localhost failed err=-8179
```
in the console.

Note: this is not the big red warning that complains about insecure certificates.

Now, I have to admit that I'm quite n00b for what concerns certificates and such, if I'm missing some fundamental points, please let me know.
cYrus over 11 years

Your answer points me in the right direction, I didn't know that Chrome used the system's database to validate the certificates. I'll edit your answer to provide the detailed solution.