Dnsmasq) #112

New issue

Closed

opened 2026-02-25 22:32:38 +03:00 by kerem · 1 comment

kerem commented

2026-02-25 22:32:38 +03:00

Owner

Originally created by @vicchi on GitHub (Jul 17, 2019).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/177

Apologies in advance, as the issue title doesn't begin to describe this ...

Current environment:

macOS - 10.14.5 / Mojave
Chrome - 75.0.3770.100 (Official Build) (64-bit)
Chrome Canary - 77.0.3854.3 (Official Build) canary (64-bit)
Safari - 12.1.1 (14607.2.6.1.1)
Safari Technology Preview - 87 (Safari 13.0, WebKit 14608.1.33.1)
Firefox - 68.0 (64-bit) (Quantum)

Installed via homebrew (2.1.7):

mkcert - 1.3.0
nginx - 1.71.1
dnsmasq - 2.80

I have dnsmasq configured to locally handle all DNS queries for the .test TLD via the following in /usr/local/etc/dnsmasq.conf

address=/test/127.0.0.1

With a corresponding /etc/resolver/test containing the following:

nameserver 127.0.0.1

I also have Nginx configured to serve two local domains with SSL enabled via mkcert certificates installed in /usr/local/etc/ssl/certs

garygale.test and www.garygale.test (my personal domain)
www.getrentr.test (a company domain I'm working on)

$ ls /usr/local/etc/ssl/certs/
garygale.test+1-key.pem   www.getrentr.test-key.pem
garygale.test+1.pem       www.getrentr.test.pem

My personal domain uses no third party assets, with the exception of Google Analytics with the new tracking code mechanism. All is working well and as expected.

My company domain uses several third party assets, including Google Tag Manager, Lead Forensics and Adobe Fonts.

The company domain's SSL certificate (www.getrentr.test), when viewed in Chrome, is valid and for the correct domain (www.getrentr.test).

When loading the company domain's site, I have NET::ERR_CERT_COMMON_NAME_INVALID certificate errors for Google Tag Manager (https://www.googletagmanager.com/gtm.js?id=[redacted]) and Adobe Fonts (https://p.typekit.net/p.css?[redacted]), but not for Lead Forensics (https://secure.kilo6alga.com/js/[redacted].js).

Additionally, when visiting the Google Tag Manager and Adobe Fonts URLs in the browser, I get the NET::ERR_CERT_COMMON_NAME_INVALID error and the SSL certificates for both these domains appear to be using the other mkcert generated certificate for my (local) personal domain, rather than the SSL certificates for these actual target domains.

p.typekit.net certificate:

googletagmanager.com certificate:

This behaviour, with slightly different error messages due to browser differences, is repeated on Chrome Canary, Firefox, Safari and Safari Technology Preview.

I can't for the life of me figure out how this is happening; more specifically how the mkcert certificate for one domain is being used in place of some, but not all, third party assets.

I also freely admit that there's probably some unknown interaction between all the moving parts in this but despite many hours trying to narrow this down and work out what is going on, I have drawn a blank.

So basically ... help?

Originally created by @vicchi on GitHub (Jul 17, 2019). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/177 Apologies in advance, as the issue title doesn't begin to describe this ... Current environment: macOS - 10.14.5 / Mojave Chrome - 75.0.3770.100 (Official Build) (64-bit) Chrome Canary - 77.0.3854.3 (Official Build) canary (64-bit) Safari - 12.1.1 (14607.2.6.1.1) Safari Technology Preview - 87 (Safari 13.0, WebKit 14608.1.33.1) Firefox - 68.0 (64-bit) (Quantum) Installed via `homebrew` (2.1.7): `mkcert` - 1.3.0 `nginx` - 1.71.1 `dnsmasq` - 2.80 I have `dnsmasq` configured to locally handle all DNS queries for the `.test` TLD via the following in `/usr/local/etc/dnsmasq.conf` ``` address=/test/127.0.0.1 ``` With a corresponding `/etc/resolver/test` containing the following: ``` nameserver 127.0.0.1 ``` I also have Nginx configured to serve two local domains with SSL enabled via `mkcert` certificates installed in `/usr/local/etc/ssl/certs` * `garygale.test` and `www.garygale.test` (my personal domain) * `www.getrentr.test` (a company domain I'm working on) ``` $ ls /usr/local/etc/ssl/certs/ garygale.test+1-key.pem www.getrentr.test-key.pem garygale.test+1.pem www.getrentr.test.pem ``` My personal domain uses no third party assets, with the exception of Google Analytics with the new tracking code mechanism. All is working well and as expected. My company domain uses several third party assets, including Google Tag Manager, Lead Forensics and Adobe Fonts. The company domain's SSL certificate (`www.getrentr.test`), when viewed in Chrome, is valid and for the correct domain (`www.getrentr.test`). <img width="496" alt="www getrentr test-certificate" src="https://user-images.githubusercontent.com/442617/61361665-bb188900-a878-11e9-8f9c-8c51d0e22c48.png"> When loading the company domain's site, I have `NET::ERR_CERT_COMMON_NAME_INVALID` certificate errors for Google Tag Manager (`https://www.googletagmanager.com/gtm.js?id=[redacted]`) and Adobe Fonts (`https://p.typekit.net/p.css?[redacted]`), but _not_ for Lead Forensics (`https://secure.kilo6alga.com/js/[redacted].js`). Additionally, when visiting the Google Tag Manager and Adobe Fonts URLs in the browser, I get the `NET::ERR_CERT_COMMON_NAME_INVALID` error and the SSL certificates for both these domains appear to be using the other `mkcert` generated certificate for my (local) personal domain, rather than the SSL certificates for these actual target domains. `p.typekit.net` certificate: <img width="496" alt="p typekit net-certificate" src="https://user-images.githubusercontent.com/442617/61361709-d4213a00-a878-11e9-9d0f-b8b1d365b7ce.png"> `googletagmanager.com` certificate: <img width="496" alt="www googletagmanager com-certificate" src="https://user-images.githubusercontent.com/442617/61361717-dd120b80-a878-11e9-94d3-b15b6a97d566.png"> This behaviour, with slightly different error messages due to browser differences, is repeated on Chrome Canary, Firefox, Safari and Safari Technology Preview. I can't for the life of me figure out how this is happening; more specifically how the `mkcert` certificate for one domain is being used in place of some, but not all, third party assets. I also freely admit that there's probably some unknown interaction between all the moving parts in this but despite many hours trying to narrow this down and work out what is going on, I have drawn a blank. So basically ... help?

kerem closed this issue

2026-02-25 22:32:38 +03:00

kerem commented

2026-02-25 22:32:38 +03:00

Author

Owner

@vicchi commented on GitHub (Jul 17, 2019):

Update: After some more digging around on our network, this appears to be a side effect of running the Pi Hole ad blocker. Disabling this resolves the problem. So I'll close this issue now.

Also @FiloSottile thank you for an awesome and insanely useful piece of code!

@vicchi commented on GitHub (Jul 17, 2019): Update: After some more digging around on our network, this _appears_ to be a side effect of running the Pi Hole ad blocker. Disabling this resolves the problem. So I'll close this issue now. Also @FiloSottile thank you for an awesome and insanely useful piece of code!