Don't use self-signed SSL certificates, but install a rootCA certificate

[CryptoVaraan]

Firefox issues a warning when using self-signed certificates. You need to add exceptions for every site to allow them and there will be NO green padlock. The green padlock can be there when using non-self-signed certificates.

I just replaced the local generated certificate & key in "laragon/etc/ssl" with my own generated ones, added my rootCA to the store and voila, green padlock on all sites.

NOT having this is a pain at times, all sites need valid SSL nowadays.

Added my files to generate this FYI (updated): _OpenSSL_Create_Certificates.zip

[leokhoa]

Thanks @CryptoVaraan 👍

[daugaard47]

@CryptoVaraan Can you explain in more detail on how you get all local dev sites to have SSL? I have 2 Drives.. C: and D: Laragon in installed on my D: drive. | Running Windows 10 I downloaded your zip file to my desktop. What are the next steps? Thanks for the help!

[CryptoVaraan]

@daugaard47 The code is intended to illustrate what i did to @leokhoa, in the hope he will pick it up and put it in.. If you use it manually then you need to run the second batch file on every change to your hosted projects-directories. Before you run it you need to pick the DNS settings from the file "D:\laragon\etc\ssl\auto.openssl.conf" and copy those into the file "v3.ext" (replacing the settings that are there. After you run it you need to copy the resulting files "laragon.crt" & "laragon.key" over the original files in "D:\laragon\etc\ssl". The certificate from the first batch file needs to be added to the trusted root CA's. Do not run the first batch file after you added the certificate, as it will generate an equally named but new, different one.

If you use Firefox, keep in mind that this uses it's own certificate store, so you need to add the root CA there (and enable trust for it) OR you can tell Firefox to use the windows certifcate store.

Hope that helps.

[rajeevedmonds]

@CryptoVaraan Can you please give a step by step information about how to do it?

[krishnaguragain]

@leokhoa can you add this feature in next release??

[leokhoa]

@krishnaguragain : I will consider it.

[erropix]

@leokhoa still not integrated into Laragon?

[andersonbravo85]

@leokhoa Anyone can help me? I have the problem ERR_CERT_AUTHORITY_INVALID with SSL when access laragon by another computer. In my computer, where laragon is running works fine. I'm running laragon Portable

[ghost]

@andersonbravo85 You have to generate a selfsigned SAN certificate with IP-address. It can also be done with CryptoVaraans package. Unfortunately the Laragon routine 'Menu > Apache > SSL > Add Laragon.crt to TrustStore' automatically deletes the IP-address entry when adding it to TrustStore. @leokoa Is there any workaround to keep IP-address when adding to TrustStore?

[leokhoa]

@nefzger: I can improve the behavior but first can you provide more details?

[ghost]

@leokhoa For internal web development testing purposes it is convenient to have SSL not only on localhost but also within an internal network. For this reason I have added in the httpd-ssl.conf: Listen 0.0.0.0:4443 and in the auto.mydomain.local.conf:

<VirtualHost [IP of the web development PC]:4443>
    DocumentRoot "${ROOT}"
    ServerName ${SITE}
    ServerAlias [IP of the web development PC].${SITE}
    <Directory "${ROOT}">
        AllowOverride All
        Require all granted
    </Directory>
    SSLEngine on
    SSLCertificateFile      C:/laragon/etc/ssl/laragon.crt
    SSLCertificateKeyFile   C:/laragon/etc/ssl/laragon.key 
</VirtualHost>

So I can reach the site via WLAN with a smartphone that is part of the internal network, or via NAT with a "native" Safari Browser running on MacOS on a virtual machine. I tried to edit the hosts file on MacOS: [IP of the web development PC] mydomain.local That works. But on a Smartphone it's not that easy to customize the hosts file as I know. So I thought of adding the IP-address of the web development PC to the laragon certificate as a SAN. Maybe that's easier than customizing the hosts file on a smartphone. Apart from that I have troubles to install a valid laragon certificate on MacOS (only Chrome, Safari works) and Android.

The 'only Chrome'-issue is solved. Certificate export via Windows certmgr seems to work not properly. After I exported with Windows Chrome the Laragon certificate as certificate chain it works in Chrome on MacOS too. Nevertheless the Laragon certificate must be set to 'Always Trust' in the keychain access app on MacOS first.

[spamhater-grav]

Hi I just wanted to say, I came across today and boy , thank you so much. I am not the most professional dev, but struggled to get certificates to work firefox and I came across your, post and boy it works really well.

I also incorporated it with the

The fix for me was follow instructions here: https://superuser.com/questions/1451895/err-ssl-key-usage-incompatible-solution basically:

Changing the following line in laragon/etc/ssl/auto.openssl.conf:

keyUsage = keyEncipherment, dataEncipherment to keyUsage = nonRepudiation, digitalSignature, keyEncipherment

But thanks for the easy batch files made it a walk in the park !

[MQuigg]

@CryptoVaraan Tried the steps mentioned by @spamhater-grav (the Superuser link), changing the keyUsage values and running OpenSSL command line to regenerate cert, added laragon.crt to trust store, no joy. Ran your two batch files and they worked perfectly to immediately fix SSL errors. Will make note of your instructions on running them for next time! Thanks for taking the time to post this excellent solution.