Using secure proxies with Google Chrome
Maybe try importing that certificate into your system's certificate store and trust it. Chrome uses the OS to validate the security certificate.
I think it is very understandable that Chrome gives you an error instead a warning when the proxy's certificate is invalid because the proxy feature is probably implemented as a transparent add-on to its networking components. Requiring an additional UI to confirm the certificate of the proxy does not seem to be a useful feature.
The following steps will do the trick:
Generate the key and the certificate:
openssl genrsa -out key.pem 1024 openssl req -new -key key.pem -subj "/CN=localhost" -out req.pem openssl x509 -req -days 30 -in req.pem -signkey key.pem -out cert.pem
Note that the only mandatory field is
CN
(CommonName
) and must be the same domain of the one of the proxy.Add the certificate to the system database using
certutil
(from packagelibnss3-tools
in Debian):certutil -d "sql:$HOME/.pki/nssdb" -A -n dummy -i cert.pem -t C
dummy
is just a nickname and can be anything, but make sure to provide the-t C
option.
Related videos on Youtube
cYrus
Updated on September 18, 2022Comments
-
cYrus over 1 year
Whenever I use a secure proxy with Google Chrome I get
ERR_PROXY_CERTIFICATE_INVALID
, I tried a lot of different scenarios and versions.The certificate
I'm using a self-signed certificate:
openssl genrsa -out key.pem 1024 openssl req -new -key key.pem -out request.pem openssl x509 -req -days 30 -in request.pem -signkey key.pem -out certificate.pem
Note: this certificate works (with a warning since it's self-signed) when I try to setup a simple HTTPS server.
The proxy
Then I start a secure proxy on
localhost:8080
. There are a several ways to accomplish this, I tried:- a custom Node.js script;
- stunnel;
- node-spdyproxy (OK, this involves SPDY too, but later... the problem is the same);
- [...]
The browser
Then I run Google Chrome with:
google-chrome --proxy-server=https://localhost:8080 http://superuser.com
to load, say,
http://superuser.com
.The issue
All I get is:
Error 136 (net::ERR_PROXY_CERTIFICATE_INVALID): Unknown error.
in the window, and something like:
[13633:13639:1017/182333:ERROR:cert_verify_proc_nss.cc(790)] CERT_PKIXVerifyCert for localhost failed err=-8179
in the console.
Note: this is not the big red warning that complains about insecure certificates.
Now, I have to admit that I'm quite n00b for what concerns certificates and such, if I'm missing some fundamental points, please let me know.
-
cYrus over 11 yearsYour answer points me in the right direction, I didn't know that Chrome used the system's database to validate the certificates. I'll edit your answer to provide the detailed solution.