Self-signed cert revoked in Chrome on macOS Catalina

[lmakarov]

Chrome on macOS Catalina treats the self-signed cert in vhost-proxy as revoked and does not allow loading projects over https (the option to proceed is no longer available)

According to this:

Apple has introduced a series of new requirements for SSL certificates to be accepted by Catalina, documented at https://support.apple.com/en-us/HT210176. To summarize here:

- Key size must be at least 2048 bits.
- Hash algorithm must be SHA-2 or newer.
- DNS names must be in a SubjectAltName, not in the CN field only.

Moreover, for certificates issued after 2019-07-01:

- The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
- The validity period may not be longer than 825 days.

The cert in the latest release of vhost-proxy was issues after 2019-07-01 and has the validity period of longer than 825 days:

NET::ERR_CERT_REVOKED
Subject: *.docksal
Issuer: *.docksal
Expires on: Nov 10, 2029
Current date: Dec 20, 2019
...

The validity period on the self-signed cert has to be set to 825 days or less to fix this.

[lmakarov]

As a temporary workaround - downgrading to v1.4 fixes the (there is a link to "Proceed to (unsafe)"):

IMAGE_VHOST_PROXY="docksal/vhost-proxy:1.4" fin system reset vhost-proxy

[lmakarov]

Using a cert with a 2 year validity period did not help.

Even though the cert is no longer considered REVOKED but rather INVALID, Chrome v79.0.3945.79 does not give an option to accept it and proceed:

NET::ERR_CERT_INVALID
Subject: *.docksal
Issuer: *.docksal
Expires on: Dec 19, 2021
Current date: Dec 26, 2019

[lmakarov]

Here's a hilarious workaround:

There's a secret passphrase built into the error page. Just make sure the page is selected (click anywhere on the background), and type thisisunsafe

Can't believe that it actually works =)