Google Chrome and Firefox do not trust certificates

Question

Google Chrome and Firefox do not trust certificates

enverarslan opened this issue 2 years ago · comments

I am using this package very long time, last afternoon (4th November 2022 18:07 UTC+3) Google Chrome started to giving SSL certificate errors on my development sites.

Environment:
Windows 10 (64 bit): 19043.2130
valet-windows: 2.1.5
Google Chrome: 107.0.5304.88
Mozilla Firefox: 106.0.5

Problem

I checked certificate expiration, it's fine. So I checked site on Microsoft Edge, its successfully loaded.

Google chrome gives NET::ERR_CERT_INVALID error and does not allow to proceed with error.

After that, I installed Mozilla Firefox and tested site. This gave me another error code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY

Research

I researched the problem and found possible solution.

See https://bugzilla.mozilla.org/show_bug.cgi?id=1034124 and specifically this answer:

Looks like that certificate has a basicConstraints extension with the value cA: TRUE. We stopped allowing CA certificates to act as end-entity certificates. That certificate should be regenerated without the basicConstraints extension.

This is also explained at https://wiki.mozilla.org/SecurityEngineering/x509Certs

Error Code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY

What It Means: A certificate with a basic constraints extension with cA:TRUE is being used as an end-entity certificate

What Can I Do: Re-generate the end-entity certificate without the basic constraints extension

Related:

Solution

I add basicConstraints CA:false extension when createSigningRequest on here: https://github.com/cretueusebiu/valet-windows/blob/2.1.5/cli/Valet/Site.php#L334

$x509->setExtension('id-ce-basicConstraints', ['CA'=>false]);

But I do not sure this is correct solution.

Can you give any explanation for why is this happened and why now? I think browser updates triggered this problem but browsers have CA checking for a long time.