Regression: self-signed certificates no longer work #14990
Comments
|
Is there anyone to ping to get visibility on this? As far as i can tell, self signed certificates no longer work, which means that we (and likely others) are blocked from upgrading Gatsby. If there's anything else I can do to help, please let me know. Thanks! |
|
Potentially related to #15043 |
|
We are seeing the same issue as of 2.9.9. Using self-signed certs now causes builds to fail. The workaround in #15043 works, but isn't a long-term solution. The workaround is to set this env before running start: |
|
Seems like this is coming from https://github.com/gatsbyjs/gatsby/blob/master/packages/gatsby-cli/src/reporter/reporters/ink/components/develop.js#L46-L56 Potential code change that would fix crashes would be using https.Agent which doesn't reject unauthorized there - here's snippet I found in node-fetch/node-fetch#19 |
m-allanson
added
help wanted
|
Hiya! This issue has gone quiet. Spooky quiet. 👻 We get a lot of issues, so we currently close issues after 30 days of inactivity. It’s been at least 20 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open! As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contributefor more information about opening PRs, triaging issues, and contributing! Thanks for being a part of the Gatsby community! 💪💜 |
gatsbot
bot
added
the
stale?
|
Still broken. |
|
Hey again! It’s been 30 days since anything happened on this issue, so our friendly neighborhood robot (that’s me!) is going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error, I’m As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing! Thanks again for being part of the Gatsby community! |
|
Be gone gatsbot. Still broken. |
stefanprobst
added
not stale
and removed
stale?
|
I guess I should have posted my comment here 😕. Forgot about this thread. |
|
Hi Everyone, I am still seeing this issue after installing a latest gatsby project today. What is the solution for this issue? |
|
One issue here is that node is not trusting self-signed certificates. A workaround, for now, is to disable TLS rejection: NODE_TLS_REJECT_UNAUTHORIZED=0 gatsby develop --https --key /path/to/key -cert /path/to/certIf you have a cert signed by a certificate authority, like the automated process uses, then a better, but more complicated, workaround is to add the certificate authority to the trusted roots chain: NODE_EXTRA_CA_CERTS=[your CA certificate file path] gatsby develop --httpsThe automated process does write your CA cert to disk, in different locations depending on your OS. If you tell me your OS, I can tell you where it will put it, and then you can use that path. The current package that manages certificates, |
|
Thanks @Js-Brecht for the detailed response. I am using MAC OS. For now, i have used the following command NODE_TLS_REJECT_UNAUTHORIZED=0 gatsby develop --https --port 3000 (node:3596) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification. I am not sure whether this is a long term solution. So , i will go with your second suggestion to use the certificate. Can you please tell me the path to place the cert? thanks |
|
The cert should be located at |
|
Having this issue too... |
|
We are having this issue too. Please update docs and default build script |
|
So issue today became critical. Chrome stopped allowing
We have found solution: navigate to
|
|
I just started working on a fix yesterday that should resolve this and a couple other open tickets. For now, what OS are you using, @JustFly1984? |
|
@Js-Brecht MacOS Catalina |
|
Since it is giving you the error "ERR_CERT_REVOKED", I'd like to see if creating a new certificate will fix the issue. Remove the certificate After the certificates have been installed and trusted, you should be able to run this to get it to work correctly: NODE_EXTRA_CA_CERTS=~/.config/devcert/devcert-ca-root.crt gatsby develop --httpsAlternatively, using NODE_EXTRA_CA_CERTS=/path/to/ca.crt gatsby develop --https --key /path/to/cert.key --cert /path/to/cert.crtPlease let me know if that works out. I know it works on Windows & Linux (except chrome on Linux uses its own nssdb for certificates, so using the system store doesn't work for it), but I'm not sure about MacOS, as I haven't tried it yet. |
I created a certificate using mkcert and it works on my system (Linux Mint) with Chromium and Firefox develop": "NODE_TLS_REJECT_UNAUTHORIZED=0 gatsby develop --https --key-file $KEY_FILE_LOCALHOST --cert-file $CERT_FILE_LOCALHOST ", |
|
If you want full trust, so you don't have to deal with errors/warnings in your browser or in node, try this: The following works flawlessly for me using self signed certificates.
[req]
req_extensions = v3_req
distinguished_name = distinguished_name
prompt = no
[distinguished_name]
commonName = localhost
[v3_req]
keyUsage = digitalSignature, keyEncipherment, nonRepudiation
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
openssl req -x509 -newkey rsa:2048 -nodes -keyout ./.certs/key.pem -days 365 -out ./.certs/cert.pem -config ./.certs/selfsigned.cnf -extensions "v3_req"
# If you run it this way, then you only need to do the export one time in your current session.
# After that, you just use the "gatsby develop" line.
export NODE_EXTRA_CA_CERTS=$PWD/.certs/cert.pem
gatsby develop --https -c ./.certs/cert.pem -k ./.certs/key.pem
# Or, in one line
NODE_EXTRA_CA_CERTS=$PWD/.certs/cert.pem gatsby develop --https -c ./.certs/cert.pem -k ./.certs/key.pemI get no errors in Node, and the certificate is trusted in Chrome, so no error there either. For Chrome to trust it, the certificate you created has to be in the trusted root certificates store, whichever one it uses in your OS. A couple notesBrowsers don't use the Using self signed certificates in Firefox require the IP address in the I'd like to hear from people if this doesn't work as expected. This is going to be similar to what the fix does automatically, just all within node. |
@in-in I've never used It looks like |
|
Here's something right out of their docs, which I assume should work on linux and mac: export NODE_EXTRA_CA_CERTS="$(mkcert -CAROOT)/rootCA.pem" |
|
I have submitted a PR that should fix the problem, but it's dependent on an upstream PR. Check out #18703. Could be a little while before it gets merged, though, depending on how long we wait for |
|
I wish I understood enough of this thread to get any of the workarounds working 😔 |
|
#18703 is really, really close to being merged. Just waiting on one more review |
Description
I'm having a hard time sorting out what package version where causes the issue, but when upgrading from gatsby 2.9.8 to 2.9.9 I now get this error when starting gatsby with a self-signed certificate:
My guess is it has to do with the upgrade of
node-fetchingatsby-cliSteps to reproduce
Create and trust ssl certificates, then run gatsby using them. I've also tried with the auto generated certificates and I get a different error.
Expected result
It should start gatsby
Actual result
Environment
Run
gatsby info --clipboardin your project directory and paste the output here.The text was updated successfully, but these errors were encountered: