Getting Chrome to accept self-signed localhost certificate

后端 未结 30 2951
小蘑菇
小蘑菇 2020-11-21 11:30

I have created a self-signed SSL certificate for the localhost CN. Firefox accepts this certificate after initially complaining about it, as expected. Chrome and IE, however

30条回答
  •  北荒
    北荒 (楼主)
    2020-11-21 11:54

    UPDATED Apr 23/2020

    Recommended by the Chromium Team

    https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins#TOC-Testing-Powerful-Features

    Quick Super-Easy Solution

    There is a secret bypass phrase that can be typed into the error page to have Chrome proceed despite the security error: thisisunsafe (in earlier versions of Chrome, type badidea, and even earlier, danger). DO NOT USE THIS UNLESS YOU UNDERSTAND EXACTLY WHY YOU NEED IT!

    Source:

    https://chromium.googlesource.com/chromium/src/+/d8fc089b62cd4f8d907acff6fb3f5ff58f168697%5E%21/

    (NOTE that window.atob('dGhpc2lzdW5zYWZl') resolves to thisisunsafe)

    The latest version of the source is @ https://chromium.googlesource.com/chromium/src/+/refs/heads/master/components/security_interstitials/core/browser/resources/interstitial_large.js and the window.atob function can be executed in a JS console.

    For background about why the Chrome team changed the bypass phrase (the first time):

    https://bugs.chromium.org/p/chromium/issues/detail?id=581189

    If all else fails (Solution #1)

    For quick one-offs if the "Proceed Anyway" option is not available, nor the bypass phrase is working, this hack works well:

    1. Allow certificate errors from localhost by enabling this flag (note Chrome needs a restart after changing the flag value):

      chrome://flags/#allow-insecure-localhost

      (and vote-up answer https://stackoverflow.com/a/31900210/430128 by @Chris)

    2. If the site you want to connect to is localhost, you're done. Otherwise, setup a TCP tunnel to listen on port 8090 locally and connect to broken-remote-site.com on port 443, ensure you have socat installed and run something like this in a terminal window:

      socat tcp-listen:8090,reuseaddr,fork tcp:broken-remote-site.com:443

    3. Go to https://localhost:8090 in your browser.

    If all else fails (Solution #2)

    Similar to "If all else fails (Solution #1)", here we configure a proxy to our local service using ngrok. Because you can either access ngrok http tunnels via TLS (in which case it is terminated by ngrok with a valid certificate), or via a non-TLS endpoint, the browser will not complain about invalid certificates.

    Download and install ngrok and then expose it via ngrok.io:

    ngrok http https://localhost
    

    ngrok will start up and provide you a host name which you can connect to, and all requests will be tunneled back to your local machine.

提交回复
热议问题