search

humanmade / altis-local-server

Local Server module for Altis
https://www.altis-dxp.com/resources/docs/local-server/
16 stars 4 forks source link

Getting `ERR_CERT_AUTHORITY_INVALID` in Windows Host #534

Open jerico opened 1 year ago

jerico commented 1 year ago

Steps to reproduce:

  1. Setup a fresh Altis project using Windows
  2. The resulting URL will not work due to invalid certificate
    • The root certificate that mkcert has generated is only getting installed inside WSL2
    • Because of HSTS, the user cannot visit the local site at all

Workaround:

  1. Install mkcert in Windows host a. Install Chocolatey https://chocolatey.org/install b. Run choco install mkcert in PowerShell
  2. Run mkcert -CAROOT in PowerShell to get where root certificate is installed in Windows host
  3. In WSL2, run composer server ssl exec -- -CAROOT to get where the generated root certificate is stored
  4. In Windows File Explorer, navigate to to \\wsl$\ and browse to the WSL’s CA root directory (e.g. \\wsl$\Ubuntu-20.04\home\jerico\.local\share\mkcert)
  5. Copy rootCA.pem and rootCA-key.pem to Windows host CA root directory (Step 2)
  6. In PowerShell, run mkcert -install - this will install the generated root certificate from WSL2
  7. The browser has to be restarted for the SSL certificate to reflect

Acceptance criteria:

tcrsavage commented 1 year ago

+1

The above workaround steps didn't quite work for me, but I may not have followed them exactly, what did work for me:

  1. Install mkcert in Windows host a. Install Chocolatey https://chocolatey.org/install b. Run choco install mkcert in PowerShell
  2. Run mkcert -CAROOT in PowerShell to get where root certificate is installed in Windows host
  3. In WSL2, run composer server ssl exec -- -CAROOT to get where the generated root certificate is stored
  4. In Windows File Explorer, navigate to to \wsl$\ and browse to the WSL’s CA root directory (e.g. \wsl$\Ubuntu-20.04\home\jerico.local\share\mkcert)
  5. Copy rootCA.pem and rootCA-key.pem from Windows host CA root directory to WSL2 directory (Step 2)
  6. In PowerShell, run mkcert -install - this will install the generated root certificate from Windows
  7. In WSL2, run composer server ssl exec -- -uninstall; composer server ssl exec -- -install to update to root cert from windows
  8. In WSL2, run composer server ssl generate {project domain name} to generate new domain cert for project using windows root CA
  9. The browser has to be restarted for the SSL certificate to reflect
tcrsavage commented 1 year ago

Additionally to get firefox browser to accept the cert, additional step is required -- only impacts FF

Go to: about:preferences#privacy -> View Certificates -> Authorities -> Import Select rootCA.pem from installed directory in step 2 from above

rmccue commented 1 year ago

Thanks for the extra testing! Interesting though, mkcert is meant to install directly into Firefox's CA root store as well so might be something a bit dodgy there; were there any messages about that when you ran mkcert -install?

tcrsavage commented 1 year ago

Yep, seems to be specific to windows

mkcert -install The local CA is already installed in the system trust store! 👍 Note: Firefox support is not available on your platform. ℹ️

rmccue commented 1 year ago

Aha, thanks!