Secure local cluster Admin UI is not accessible on Chrome #6946
Description
When running a secure local cluster, following our getting started docs, it's no longer possible to access the Admin UI on Chrome. Seems to work fine on FF and Safari.
Given Chrome's popularity and the importance of helping users have a quick and easy getting started experience via our docs and otherwise, I consider this a significant problem, potentially a release blocker, though that's not my call. At the least, we need to figure out how to adjust the docs so that copy/paste works for spinning up a local cluster and accessing the admin UI for new users.
Steps:
~$ mkdir certs my-safe-directory
~$ cockroach cert create-ca --certs-dir=certs --ca-key=my-safe-directory/ca.key
~$ cockroach cert create-node localhost $(hostname) --certs-dir=certs --ca-key=my-safe-directory/ca.key
~$ cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key
~$ cockroach start --certs-dir=certs --store=node1 --listen-addr=localhost:26257 --http-addr=localhost:8080 --join=localhost:26257,localhost:26258,localhost:26259 --background
*
* INFO: initial startup completed.
* Node will now attempt to join a running cluster, or wait for `cockroach init`.
* Client connections will be accepted after this completes successfully.
* Check the log file(s) for progress.
*
~$ cockroach start --certs-dir=certs --store=node2 --listen-addr=localhost:26258 --http-addr=localhost:8081 --join=localhost:26257,localhost:26258,localhost:26259 --background
*
* INFO: initial startup completed.
* Node will now attempt to join a running cluster, or wait for `cockroach init`.
* Client connections will be accepted after this completes successfully.
* Check the log file(s) for progress.
*
~$ cockroach start --certs-dir=certs --store=node3 --listen-addr=localhost:26259 --http-addr=localhost:8082 --join=localhost:26257,localhost:26258,localhost:26259 --background
*
* INFO: initial startup completed.
* Node will now attempt to join a running cluster, or wait for `cockroach init`.
* Client connections will be accepted after this completes successfully.
* Check the log file(s) for progress.
*
~$ cockroach init --certs-dir=certs --host=localhost:26257
Cluster successfully initialized
~$ grep 'node starting' node1/logs/cockroach.log -A 11
CockroachDB node starting at 2020-03-19 15:07:58.540333 +0000 UTC (took 11.5s)
build: CCL v20.1.0-beta.2-937-g1ae9b8d2cd @ 2020/03/19 03:25:00 (go1.13.7)
webui: https://localhost:8080
sql: postgresql://root@localhost:26257?sslcert=certs%2Fclient.root.crt&sslkey=certs%2Fclient.root.key&sslmode=verify-full&sslrootcert=certs%2Fca.crt
RPC client flags: cockroach <client cmd> --host=localhost:26257 --certs-dir=certs
logs: /Users/jesseseldess/node1/logs
temp dir: /Users/jesseseldess/node1/cockroach-temp947498966
external I/O path: /Users/jesseseldess/node1/extern
store[0]: path=/Users/jesseseldess/node1
storage engine: rocksdb
status: initialized new cluster
clusterID: aa69e24b-ffbd-4716-a49a-fb7371ba80fc
When you go to https://localhost:8080 in Chrome and click "Advanced" on the initial "Your connection is not private" warning page, you get:
In contrast, when you do the same think in FF, you have the option to "Accept risk and continue" and can create the Admin UI login page. Same basic path on Safari.
As suggested by @knz, I tried listing $(hostname) before localhost in the cert and starting nodes with --http-addr=$(hostname):8080 and then directing browser to https://<hostname>:8080, but no luck.
Environment:
CockroachDB version: v20.1.0-beta.2-937-g1ae9b8d2cd
Server OS: MacOS
Chrome version: Version 80.0.3987.149 (Official Build) (64-bit)
FF version: 72.0.2 (64-bit)
Safari versio: 13.0.5 (15608.5.11)