Local HTTPS server not working properly.

[metalandcoffee]

Description

When following the instructions in the Gatsby docs to use a Local HTTPS server during development, the process seems unsuccessful.

When I go to https://localhost:8000/, it shows the following privary error (Chrome):

Steps to reproduce

Follow the instructions in the link above.

Expected result

The https://localhost:8000/ URL should take me to my Gatsby site.

Actual result

See above screenshot.

Environment

  System:
    OS: macOS 10.15.2
    CPU: (4) x64 Intel(R) Core(TM) i5-7400 CPU @ 3.00GHz
    Shell: 3.2.57 - /bin/bash
  Binaries:
    Node: 12.12.0 - /usr/local/bin/node
    npm: 6.11.3 - /usr/local/bin/npm
  Languages:
    Python: 2.7.16 - /usr/bin/python
  npmPackages:
    gatsby: ^2.19.7 => 2.19.7 
    gatsby-image: ^2.2.39 => 2.2.39 
    gatsby-plugin-manifest: ^2.2.39 => 2.2.39 
    gatsby-plugin-offline: ^3.0.32 => 3.0.32 
    gatsby-plugin-react-helmet: ^3.1.21 => 3.1.21 
    gatsby-plugin-sharp: ^2.4.3 => 2.4.3 
    gatsby-source-filesystem: ^2.1.46 => 2.1.46 
    gatsby-transformer-sharp: ^2.3.13 => 2.3.13 
  npmGlobalPackages:
    gatsby-cli: 2.8.28

[vladar]

I couldn't reproduce this, so it is probably something specific to your environment. Can you post a full output of gatsby develop maybe we'll see some hints there?

[Js-Brecht]

Hello @metalandcoffee,

Can you try something for me? The dev certificates should be stored at ~/Library/Application Support/devcert. If that folder exists, please delete it, then go into your Keychain and remove the devcert certificate authority. After that, run gatsby develop --https again.

There may be other issues, especially running on Mac with the current version of the package devcert that Gatsby uses. #18703 addresses those issues, but that PR's been waiting to be merged for some time.

[Js-Brecht]

Oh, correction. That's the new folder for development certificates. The old folder is ~/.config/devcert, I believe

[metalandcoffee]

Hey @vladar and @Js-Brecht! I went ahead and deleted the folder at ~/.config/devcert and removed devcert from my Keychain. I'm guessing this essentially clears the previously generated devcert! And then I ran gatsby develop --https again. Output is below and I'm still having the same issue. Thank you for letting me know about the open PR, @Js-Brecht !!! I'll most likely be waiting for that to be merged 😎

$ gatsby develop --https
info setting up automatic SSL certificate (may require sudo)

Password:
/bin/sh: /usr/local/Cellar/nss/3.47/bin/certutil: No such file or directory
Unable to automatically install SSL certificate - please follow the prompts at http://localhost:51352 in Firefox to trust the root certificate
See https://github.com/davewasmer/devcert#how-it-works for more details
-- Press <Enter> once you finish the Firefox prompts --

success open and validate gatsby-configs - 0.025s
success load plugins - 1.441s
success onPreInit - 0.006s
success initialize cache - 0.008s
success copy gatsby files - 0.063s
success onPreBootstrap - 0.011s
success createSchemaCustomization - 0.005s
success source and transform nodes - 0.073s
success building schema - 0.323s
success createPages - 0.002s
success createPagesStatefully - 0.057s
success onPreExtractQueries - 0.003s
success update schema - 0.035s
success extract queries from components - 0.265s
success write out requires - 0.028s
success write out redirect data - 0.003s
success Build manifest and related icons - 0.146s
success onPostBootstrap - 0.172s
⠀
info bootstrap finished - 27.338 s
⠀
success run queries - 0.037s - 7/7 187.33/s
⠀
You can now view gatsby-starter-default in the browser.
⠀
  https://localhost:8000/
⠀
View GraphiQL, an in-browser IDE, to explore your site's data and schema
⠀
  https://localhost:8000/___graphql
⠀
Note that the development build is not optimized.
To create a production build, use gatsby build
⠀
success Building development bundle - 3.819s

[Js-Brecht]

I think you need to trust the certificate authority manually, since it looks like you don't have certutil installed on your machine already; or you can follow this section of the revised documentation to install certutil, in order for devcert to trust the CA automatically.

[Js-Brecht]

Unless, of course, you followed the Firefox prompts. Sometimes I forget that not everything shows up in your console 😆.

Can you locate your localhost certificate under ~/.config/devcert, and run openssl x509 -in "<certificate path>" -noout -text on it, and post the output here?

[metalandcoffee]

I'm not entirely sure about which <certificate path> to use so here is an ls -la first

$ ls -la
total 88
drwxr-xr-x  15  staff   480 Jan 29 11:58 .
drwx------   6  staff   192 Jan 29 11:57 ..
drwxr-xr-x   3  staff    96 Jan 29 11:58 certs
-rw-r--r--   1  staff  1151 Jan 29 11:58 devcert-ca-root.crt
-rw--w----   1  staff  1675 Jan 29 11:58 devcert-ca-root.key
-rw-r--r--   1  staff     1 Jan 29 11:58 devcert-ca-version
-rw-r--r--   1  staff  1322 Jan 29 11:58 gatsby-starter-default.crt
-rw-r--r--   1  staff   907 Jan 29 11:58 gatsby-starter-default.csr
-rw--w----   1  staff  1679 Jan 29 11:58 gatsby-starter-default.key
-rw-r--r--   1  staff    55 Jan 29 11:58 index.txt
-rw-r--r--   1  staff    21 Jan 29 11:58 index.txt.attr
-rw-r--r--   1  staff     0 Jan 29 11:58 index.txt.old
-rw-r--r--   1  staff  1518 Jan 29 11:58 openssl.conf
-rw-r--r--   1  staff     3 Jan 29 11:58 serial
-rw-r--r--   1  staff     2 Jan 29 11:58 serial.old

And then here is the output from running openssl x509 -in "devcert-ca-root.crt" -noout -text:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10945188860588390544 (0x97e51f4752eef890)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=devcert
        Validity
            Not Before: Jan 29 16:58:09 2020 GMT
            Not After : Mar 30 16:58:09 2039 GMT
        Subject: CN=devcert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d3:61:10:04:ce:19:e9:a8:b7:22:16:4c:ae:c8:
                    a8:72:c4:90:b1:be:50:36:b0:c9:24:71:25:18:79:
                    45:d9:a9:dc:84:9c:80:91:0e:a2:cd:15:4c:7f:67:
                    d3:09:2d:44:4a:0e:42:4c:6f:ba:e5:ed:f4:5e:8c:
                    d4:cd:cf:1a:6a:bc:89:99:5d:57:5a:0d:d2:c3:02:
                    9a:0b:9d:b6:81:3e:34:47:e8:71:c3:d2:4c:0d:c1:
                    00:de:80:82:44:44:02:c7:7b:c8:6b:ed:5a:ee:af:
                    9c:b7:5e:2a:4f:d5:0d:99:89:be:3f:02:46:75:bf:
                    1c:29:ad:5a:88:92:ae:7a:fa:c5:1a:ba:f9:40:c4:
                    66:7c:3b:f5:d0:55:ba:64:48:78:d1:c4:6b:d0:ff:
                    e1:54:f5:32:2c:06:97:47:1a:c0:e1:32:4b:de:65:
                    5d:a3:24:58:9e:cb:6a:be:69:33:d3:d8:d5:dd:64:
                    64:b6:2c:2f:05:7e:0b:75:30:6e:b1:ff:f4:98:8d:
                    c8:93:67:c7:35:d5:ee:3c:03:3a:19:04:d5:57:e2:
                    2f:c3:32:1c:af:f4:55:a1:01:49:fa:d8:ef:60:57:
                    25:45:e2:51:0c:76:c9:2a:25:da:08:a8:c8:fd:c8:
                    05:32:15:b2:8e:e5:ac:94:4a:f5:fb:7f:56:42:50:
                    81:77
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                F2:51:08:9D:C6:98:61:2A:C3:4A:2D:2B:8C:15:2F:F3:E1:DD:28:ED
            X509v3 Subject Alternative Name: 
                email:user@localhost
            X509v3 Authority Key Identifier: 
                keyid:F2:51:08:9D:C6:98:61:2A:C3:4A:2D:2B:8C:15:2F:F3:E1:DD:28:ED

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         d0:87:c2:fb:96:63:37:2c:c3:d6:8b:f4:56:20:3e:48:0e:da:
         2a:1a:9e:ec:e8:1f:52:25:d5:55:1b:86:e5:b7:16:55:5a:8a:
         94:db:70:f2:1a:cd:af:c9:ef:30:ff:38:0b:b0:6b:72:d8:c7:
         cd:ed:57:8c:ac:ad:ba:0b:d0:ba:99:8d:c2:cd:46:ba:e5:28:
         69:40:03:fa:aa:06:ee:f5:f9:e8:f3:ce:ae:e3:8c:3b:b9:ac:
         0a:b4:76:5f:ea:83:87:f3:bb:b2:6f:c7:af:d2:07:2d:40:26:
         37:be:30:15:ef:58:94:ae:c0:72:fe:94:95:8e:c0:63:91:00:
         81:9d:4f:e7:8d:42:47:44:ba:98:15:5a:9d:14:b4:63:4e:3c:
         68:92:3e:86:1b:6f:e5:54:29:3d:71:cb:9d:8f:2a:9a:81:b6:
         f6:2a:4b:d6:4f:fa:76:71:b9:47:1c:65:81:58:68:7a:09:bd:
         eb:e8:00:c2:ec:ab:ba:c3:18:87:25:1d:33:fc:4c:85:d3:e8:
         00:9f:c7:3b:a5:7c:c6:1f:a4:01:7c:b7:09:2c:a9:82:d2:12:
         f2:d4:24:9e:48:51:f1:2f:9a:3d:e0:a8:3d:77:26:ba:35:f7:
         83:2c:9c:54:89:85:fd:6c:70:1b:1c:ef:b5:1f:17:1c:e5:39:
         5c:7e:c3:b5

[Js-Brecht]

Can you please post the output for gatsby-starter-default.crt as well?

---

It does seem strange that it would give you a "REVOKED" message, especially after recreating all of the certs. I do know that MacOS will reject a certificate if its expiration date is more than 825 days, but I don't know if that applies to Chrome on Mac, though. You could try running this from your project root:

sed -i 's/7000/825/' ./node_modules/devcert-san/dist/root-authority.js

# This command should yield no output, otherwise there was some issue with the sed command
cat ./node_modules/devcert-san/dist/root-authority.js |grep 7000

Then clear your ~/.config/devcert & keychain, and try again.

[metalandcoffee]

I'm having issues with the sed command:

$ sed -i 's/7000/825/' ./node_modules/devcert-san/dist/root-authority.js
sed: 1: "./node_modules/devcert- ...": invalid command code .
$ sed -i 's/7000/825/' node_modules/devcert-san/dist/root-authority.js
sed: 1: "node_modules/devcert-sa ...": extra characters at the end of n command

Here is the output for gatsby-starter-default.crt:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=devcert
        Validity
            Not Before: Jan 29 16:58:20 2020 GMT
            Not After : Mar 30 16:58:20 2039 GMT
        Subject: CN=gatsby-starter-default
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:f1:5a:25:4e:1b:dc:2c:5e:39:b1:db:68:a3:
                    37:a5:3f:ca:d3:14:e4:82:54:31:ec:cf:29:86:b4:
                    fc:ce:cf:bb:e5:bc:ca:59:a8:a1:88:f5:ee:b0:72:
                    6c:76:f0:44:9a:f1:68:73:4a:e8:24:2a:0d:c4:e6:
                    36:9a:42:cd:89:33:35:c5:1b:47:25:dd:d4:2b:4c:
                    c2:a0:51:1b:89:81:6d:6b:2f:f0:bc:34:4c:0c:d9:
                    c0:4a:3e:04:ca:5e:a2:3b:0e:8b:84:60:f5:c2:4a:
                    7c:d4:cc:24:76:fe:19:de:65:f5:6b:2b:2a:80:cf:
                    d3:75:b1:f3:59:53:5f:86:8a:0f:29:1a:f7:02:43:
                    dc:c0:37:f1:cc:8f:07:23:17:c0:ff:56:a4:df:3a:
                    ae:7b:34:ac:d2:bb:24:86:70:b2:9e:7e:9e:3f:53:
                    6f:3f:fe:d9:3e:39:88:c7:f3:cd:5b:21:94:db:a9:
                    4b:19:2b:07:78:6c:0f:50:13:7c:ed:39:b0:75:0e:
                    0b:ec:7f:34:b8:08:ec:70:13:21:70:32:11:18:12:
                    a5:f4:0b:d5:87:67:b9:6f:6f:e4:c7:6a:bf:e1:8a:
                    b0:4a:c7:12:d0:3b:da:48:d3:7f:9c:88:b6:37:54:
                    fe:9e:d6:f0:f7:8c:9a:f0:c3:17:fa:f5:33:e4:e9:
                    a8:8d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                C5:F4:88:3D:53:E6:A0:E5:09:99:09:20:D0:12:91:D1:EE:1E:18:87
            X509v3 Authority Key Identifier: 
                keyid:F2:51:08:9D:C6:98:61:2A:C3:4A:2D:2B:8C:15:2F:F3:E1:DD:28:ED
                DirName:/CN=devcert
                serial:97:E5:1F:47:52:EE:F8:90

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:localhost
    Signature Algorithm: sha256WithRSAEncryption
         a4:36:7b:a2:b8:14:d9:8f:65:8f:22:f2:e5:27:eb:73:13:be:
         41:8c:a2:49:3f:15:16:a2:3a:ce:0c:33:c6:f7:cd:f7:35:7a:
         e8:f2:76:01:21:2f:1d:6f:f8:b5:61:b3:d9:a7:8a:01:e7:18:
         8d:c9:f5:5e:bd:eb:df:80:2b:9e:2f:a5:dc:c6:74:c2:1b:5e:
         d4:a1:f7:fc:82:e8:75:f4:19:83:b5:25:42:c0:06:7d:d3:f9:
         64:39:a7:6c:d5:03:81:af:36:f0:05:ed:12:9e:da:6b:43:06:
         b0:b3:01:74:5d:d5:4b:1c:af:54:c2:06:45:0b:35:97:9a:6f:
         cf:2e:26:55:3e:c3:ad:1f:46:eb:f2:3c:6e:d0:5f:d6:8c:22:
         31:66:37:c9:90:1b:a5:09:7d:e0:3e:07:59:15:41:75:d0:a8:
         e2:9f:44:8c:e5:6f:d3:75:52:87:52:a3:88:eb:7b:b0:6b:6c:
         96:52:b9:8b:b3:00:8d:ef:ca:61:7c:2d:36:3c:2a:39:8d:ea:
         02:99:98:1d:4a:d4:05:54:1a:25:b6:b4:aa:5d:37:d4:24:a0:
         8b:89:af:0e:b0:bd:7f:12:2b:d7:de:34:78:11:4f:92:bf:bd:
         2b:f3:8d:20:0f:0f:89:27:5e:7a:b6:a5:80:f8:05:a8:33:5c:
         b8:41:5f:f1

[Js-Brecht]

Okay, MacOS apparently uses an old BSD version of sed by default. I'm not even going to try to work out the syntax for that particular command without having access to the program. Just go edit the file, and change this line where it says 7000 to 825:

25:        utils_1.openssl(`req -config ${constants_1.opensslConfPath} -key ${constants_1.rootKeyPath} -out ${constants_1.rootCertPath} -new -subj "/CN=devcert" -x509 -days 7000 -extensions v3_ca`);

Also, I think you'll have to change node_modules/devcert-san/dist/index.js as well:

59:    utils_1.openssl(`ca -config ${constants_1.opensslConfPath} -in ${csrFile} -out ${certPath} -outdir ${constants_1.caCertsDir} -keyfile ${constants_1.rootKeyPath} -cert ${constants_1.rootCertPath} -notext -md sha256 -days 7000 -batch -extensions server_cert`);

[Js-Brecht]

Aha... I dug up an old issue in the devcert repository. Pretty sure changing the days parameter is what will fix this issue
davewasmer/devcert#39

The only issue with changing the source like I've suggested is that it'll be replaced any time you update your node_modules. Probably the best alternative would be to use your own custom certificate. You can read a couple of these comments for information:
#14990 (comment)
#14990 (comment)
#14990 (comment)
#14990 (comment)

[metalandcoffee]

Omgosh. You fixed it @Js-Brecht!!!! Things work perfectly now. But I'm going to go through the information you linked above to look into creating my own custom certificate. Thanks so much for taking the time out to help me! You're a gem.

[Js-Brecht]

You're welcome. Glad I could help 🙂

[Js-Brecht]

Closing this because the issue is tracked by #14990, and fixed by #18703