Improve SSL verification experience for localhost and self-signed certificates

[TehWardy]

I recently had to do a clean install of my OS (new machine build). I have reported this bug in the past and it still hasn't been resolved but for some reason you guys keep closing the ticket as resolved.

So here we go again ...

My environment setup

1. Clean install of windows 10.
2. Apply all updates to the OS.
3. Clean install of VS 2017 (download ISO as part of this from visualstudio.com).
4. Clean install of postman.

Producing the problem

1. Open VS, 2017.
2. load project from source control.
3. Press F5 to build and run the project, a browser window opens with my API root URL
4. Open postman
5. Copy URL from browser window to postman
6. Hit send ...

Outcome In browser: Json repsonse from server In postman: Could not get any repsonse

What must I do to get this scenario to work? Last time I spent about half an hour messing about "forcefully having to install certs" and rebooting the machine.

EVERY other piece of software I have "just works", but postman requires this constant battle and this is only a problem for localhost https calls on a VS dev server.

More detail on postmans issue If I open up the postman console and re issue the request it says in the console

Error: SSL Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE

then my request headers are listed.

Note: If i disable the option "SSL Certificate Verification" in the options it works. Is a self signed localhost cert not a valid SSL cert ... surely as long as it allows postman to establish a connection and a basic understanding of a trust relationship it should accept the self signed cert by default?

[science695]

Could there at least be a page like chrome with the option to override security warning and let this request go through?

[TehWardy]

actually i would just rather that a self signed localhost cert be allowed ... this is after all a testing tool so you'd expect developers to use it on their localhost instances.

Instead this basicall says that by default every dev on their local machine has installed and uses (when hitting F5 from VS) a fully properly issued SSL cert ... which is madness.

[kamalaknn]

Hi,

Postman has always been honoring the SSL certificate validity. However, we've been showing ways to help debug this cases through instructions on the error page.

I do understand that for most of the cases where development happens locally this might not be ideal. We could make this experience better.

I'm marking this as a feature request for enhancing the experience working with untrusted servers.

@vkaegis @sankalp0o can we look into this?

[science695]

If someone is working on Postman's SSL verification section, it would also be useful to look at this feature request about custom root CAs: #3290

[EasyMilos]

Strange, I am not experiencing the same issue when I am testing locally from postman and https://localhost:SOMEPORT from visual studio. Are you sure that you have everything configured properly? Maybe the difference is that I run Visual Studio as administrator and have "localhost" cert in "Trusted Root Certification Authorities" user store and "Personal" machine store (where I believe VS added it)? I only hit mentioned issue "UNABLE_TO_VERIFY_LEAF_SIGNATURE" when I use https://localhost with addition of client certificate as described in #4627 and its comments.

[TehWardy]

@EasyMilos as stated ... I have a clean install of windows, and a clean install of postman. Postman will ONLY work with localhost servers that self sign if you change the setting "SSL Certificate Verification" which you must have obviously done already.

My point was simply given the job of Postman is to be a testing / dev tool to help build and test API's this is a scenario that should be detected by postman and automatically trusted or is there a good reason to not consider VS based projects a "typical default usage scenario" for postman?

I do however see the need for postman to encourage good standards but this is the type of standards enforcement that just gets in peoples way for no gain.

[d42ohpaz]

Postman 6.1.4 macOS High Sierra 10.13.5 (17F77)

Self-signed Certificate for "localhost" utilizing the Subject Alternative Name extension:

$ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
$ openssl rsa -passin pass:x -in server.pass.key -out private/localhost.key
$ openssl req -new -key private/localhost.key -out misc/localhost-2018-07-05.csr
$ cat > v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage·=·digitalSignature,·nonRepudiation,·keyEncipherment,·dataEncipherment
subjectAltName·=·@alt_names

[alt_names]
DNS.1·=·localhost
DNS.2·=·website.localhost
DNS.3·=·api.localhost
^D
$ openssl x509 -req -sha512 -extfile misc/v3.ext -days 3650 -in misc/localhost-2018-07-05.csr -signkey private/localhost.key -out certs/localhost.crt

I have installed the .crt into Keychain Access and set all of the Trust items to Always Trust. Viewing any of my configured domains shows the certificate as trusted by the Chrome browser.

In Postman I went to Settings > Certificates and I added my .crt and .key as a Client Certificate for my api.localhost domain. Under Settings > General I do also have the SSL certificate verification turned on and would prefer to leave it enabled to verify non-local API endpoint certificates.

Despite which domain I use (localhost, website.localhost, or api.localhost), I continually get the error that Postman Could not get any response.

For the sake of argument, "turning off SSL certificate validation is not really fixing the problem -- it should be labeled as a temporary work-around until a more permanent solution can be implemented on Postman's end. Since this "fix" globally disables all SSL verification, the console should show a warning for each SSL endpoint reminding developers that their SSL verification has been disabled.

I would also like to ask about the point of the Client Certificates portion of the settings if it does not honor the configured certificates? After reading the documentation for Certificates, the first thing it says is, "Postman’s native apps provide a way to view and set SSL certificates on a per domain basis." This had led me to believe adding my .crt and .key would have fixed the Error: SSL Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE error.

It does not.

Thank you for your time, and please let me know if there is any further information I may provide to help speed this development along! :)

[Rick-Anderson]

Could you exempt localhost from this rule? All or none isn't a secure approach for those who need to test locally and test/production endpoints. Perhaps you could whitelist domains that allow self signed certs.

[Rick-Anderson]

The instructions should say File > Settings > General tab not Settings > general

[science695]

The instructions should say File > Settings > General tab not Settings > general

@Rick-Anderson There are 2 ways of getting to settings, both are correct:

• File -> Settings
• Wrench -> Settings

[Rick-Anderson]

There are 2 ways of getting to settings,

Right, and the instructions omit them.

[coredumperror]

Just discovered this bug in Postman and lost 40+ minutes to hair-pulling frustration at seeing my webserver clearly respond as normal to my POST requests, only for Postman to say "it didn't work" with absolutely no information in regards to how it didn't work.

Please fix this!!

[TehWardy]

I've noticed over time that whilst "initially" unticking the "verify SSL cert" box did solve my issue, when postman does updates it breaks this so the box is still unticked but right now I can't talk to localhost servers at all.

I've now written a simple bit of UI to do what postman does in to my web application in order to test my back end ... at least that way ajax calls respond in a consistent manner.

I stand by my original request that "localhost" should be by default a trusted cert provider given that this tool is literally designed for this scenario.

I have no reason / pattern as to why this happens but it's frustrating when it does.

[codenirvana]

Note: Error UNABLE_TO_VERIFY_LEAF_SIGNATURE is because of missing intermediate certificate in the chain. Refer: https://github.com/postmanlabs/postman-app-support/issues/2874#issuecomment-405994263

[shamasis]

Just asking the experts in community: Are there any unseen side effects for implicitly trusting all certificates? :-p

Also, what if Postman always showed responses whether certificate is valid or not and instead showed a warning in UI if SSL is invalid. As a dev-tool, Postman's security considerations are different than a browser IMHO. We could always allow all responses (with warning for SSL failure) and flip the setting to say do not allow invalid certificates for those who want it that way.

[TehWardy]

Today i find this happening again ... This time it's not localhost, and the option "SSL Certificate Verification" is set to off in the settings despite the server having a valid SSL cert and yet still Postman refuses to give me the response.

Is this anywhere near close to be resolved?

[shamasis]

Today i find this happening again ... This time it's not localhost, and the option "SSL Certificate Verification" is set to off in the settings despite the server having a valid SSL cert and yet still Postman refuses to give me the response.

...

Is this anywhere near close to be resolved?

@TehWardy this could be a separate issue we are tracking in app version 7.3.x (can you check which app version you are on?)

[Diomos]

Postman for Windows Version 7.2.2 win32 10.0.16299 / x64

I have similar issues: using NTLM Authorization and localhost where Visual Studio IIS Express is running my API in debug mode. When having "SSL certificate verification" turned on it seems Postman is not even trying to use correct certificate from Trusted Root CA. When I export localhost certificate and add it to Postman manually it gives "Error: unable to verify the first certificate". Again, with no trace what does it mean actually. I also checked here (Postman Learning Center - Certificates) but in my case I don't see Postman to list certificates it's trying to use in console. "SSL certificate verification" turned off: 401.1 error. I am not sure whatever in this scenario a certificate is even important, yet it's failing. Maybe Postman is unable to build proper header for authorization? Strangely colleague is using old 6.3.0 version of Postman and it works fine for him. I wanted to download that version just to try it out but it's not possible on official Postman page.

[TehWardy]

@Diomos to be clear ... I'm expecting the xml error there ... my API doesn't respond to unauthorised calls ... but postman should also return the same thing was my point.

@shamasis it'll be whatever the version was back in may.

I just ran the update (which initially complained that it was broken), so I gave up and manually installed the latest version and now it appears to be working with that request.