starred/mkcert
1
0
Fork 0
mirror of https://github.com/FiloSottile/mkcert.git synced 2026-04-25 13:36:02 +03:00
Code Issues 165 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #307] Your connection is not private / NET::ERR_CERT_AUTHORITY_INVALID on windows 10 #198

New issue
Closed
opened 2026-02-25 22:32:50 +03:00 by kerem · 6 comments
kerem commented 2026-02-25 22:32:50 +03:00
Owner
Copy link

Originally created by @sontek on GitHub (Nov 14, 2020).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/307

I just did the following, in a docker container:

mkcert eventapp.local "eventapp.local" "localhost" 127.0.0.1 ::1

Then I tried using that in nginx. Then in the host machine (windows) I ran:

mkcert -install

if I re-run that, it says its already installed:

.\mkcert.exe -install
The local CA is already installed in the system trust store! 👍
Note: Firefox support is not available on your platform. ℹ️

But when I try to go to http://eventapp.local in chrome:

Subject: mkcert development certificate

Issuer: mkcert root@buildkitsandbox

Expires on: Feb 14, 2023

Current date: Nov 14, 2020

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIEUTCCArmgAwIBAgIQWCng0+tt46H79dtMnkm8EjANBgkqhkiG9w0BAQsFADBl
MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExHTAbBgNVBAsMFHJvb3RA
YnVpbGRraXRzYW5kYm94MSQwIgYDVQQDDBtta2NlcnQgcm9vdEBidWlsZGtpdHNh
bmRib3gwHhcNMjAxMTE0MTkxMjE2WhcNMjMwMjE0MTkxMjE2WjBIMScwJQYDVQQK
Ex5ta2NlcnQgZGV2ZWxvcG1lbnQgY2VydGlmaWNhdGUxHTAbBgNVBAsMFHJvb3RA
YnVpbGRraXRzYW5kYm94MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tc9R2aRnW+25/MIJP0r4/SqStL0Bxqb83jSmvw2j3VV6Z3kGCySNQzDULMq8J+w4
fO/xGwf6Hm7FR6/Wq2F0R/RriPW0hNRTAU8v6mLs2WYspvCQ7BkmJ5m9kKMZyi1z
BTGtPABacxSledVVMxHmMvjWG857zCtVpeaMab1jBqfBGN2bpZAGNaP6vrdO5O/w
CyexsTpNco96tliAioNAAbzmu4pq6XenIbDIwi8chtOOAtfBnvB+NSoBeOEOvGUY
R37IzafuKL/OZ5KtcY3sQ1bz++I8sklOdoqbG3AWfups1pgsZUzlBmnvU+Cn0A4B
cHatrPI9tKGLJYpVnW+o+wIDAQABo4GZMIGWMA4GA1UdDwEB/wQEAwIFoDATBgNV
HSUEDDAKBggrBgEFBQcDATAfBgNVHSMEGDAWgBQU4pHNU/GJLgyHgPbYb0Y5gvHR
0jBOBgNVHREERzBFgg5ldmVudGFwcC5sb2NhbIIQKi5ldmVudGFwcC5sb2NhbIIJ
bG9jYWxob3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUA
A4IBgQDm86yF5Oy3tC1qC7C7Rdqzf2PRKVzfXzytloeB5nbRWcp0fIfzeE7kD6T+
Q+pCjeNSoeCmCTjLFJCEdvSU0xFBdyybYTSga4+Pfz7a60mEa+WZp+sOliCRKmsw
fGwwQTw3SRs7oVWnJZeq+aEKyANPmKs3JLuuUL7KtToPna8z1d9kBRzMhZDFdVvZ
YcMtnl77RKcOFDNHq8uAn5w3GRPRF0DLGJg+5OeYHKKe6PCMw7x4h3t61ZWiiMQp
cuji1pohrPZAPSp1oPb1biuVRD8QvBZ3cRC42m8lK1hfeHGjCm1w4GZw7rgDf6os
pL1dZZy0IZLWhgfpD1WmmxcxZD2FlhUK6G3Roe/SWM2eV1Lfy70Sz2L2TuZWNy39
2FU0J/Oyu0BAx96PvyGU27XMMSslDfabATbzYLQ0bLP6o2uDqZ+TzbQT5AKRZe6r
n5vcH+desrjLpGo9YcA8CkkZietqH6n9pPQWraZ34wIE9VLNmanCOaFLbpdv+IAl
PXMieYM=
-----END CERTIFICATE-----

image

Any idea what might cause this?

Originally created by @sontek on GitHub (Nov 14, 2020). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/307 I just did the following, in a docker container: ``` mkcert eventapp.local "eventapp.local" "localhost" 127.0.0.1 ::1 ``` Then I tried using that in nginx. Then in the host machine (windows) I ran: ``` mkcert -install ``` if I re-run that, it says its already installed: ``` .\mkcert.exe -install The local CA is already installed in the system trust store! 👍 Note: Firefox support is not available on your platform. ℹ️ ``` But when I try to go to http://eventapp.local in chrome: ``` Subject: mkcert development certificate Issuer: mkcert root@buildkitsandbox Expires on: Feb 14, 2023 Current date: Nov 14, 2020 PEM encoded chain: -----BEGIN CERTIFICATE----- MIIEUTCCArmgAwIBAgIQWCng0+tt46H79dtMnkm8EjANBgkqhkiG9w0BAQsFADBl MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExHTAbBgNVBAsMFHJvb3RA YnVpbGRraXRzYW5kYm94MSQwIgYDVQQDDBtta2NlcnQgcm9vdEBidWlsZGtpdHNh bmRib3gwHhcNMjAxMTE0MTkxMjE2WhcNMjMwMjE0MTkxMjE2WjBIMScwJQYDVQQK Ex5ta2NlcnQgZGV2ZWxvcG1lbnQgY2VydGlmaWNhdGUxHTAbBgNVBAsMFHJvb3RA YnVpbGRraXRzYW5kYm94MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA tc9R2aRnW+25/MIJP0r4/SqStL0Bxqb83jSmvw2j3VV6Z3kGCySNQzDULMq8J+w4 fO/xGwf6Hm7FR6/Wq2F0R/RriPW0hNRTAU8v6mLs2WYspvCQ7BkmJ5m9kKMZyi1z BTGtPABacxSledVVMxHmMvjWG857zCtVpeaMab1jBqfBGN2bpZAGNaP6vrdO5O/w CyexsTpNco96tliAioNAAbzmu4pq6XenIbDIwi8chtOOAtfBnvB+NSoBeOEOvGUY R37IzafuKL/OZ5KtcY3sQ1bz++I8sklOdoqbG3AWfups1pgsZUzlBmnvU+Cn0A4B cHatrPI9tKGLJYpVnW+o+wIDAQABo4GZMIGWMA4GA1UdDwEB/wQEAwIFoDATBgNV HSUEDDAKBggrBgEFBQcDATAfBgNVHSMEGDAWgBQU4pHNU/GJLgyHgPbYb0Y5gvHR 0jBOBgNVHREERzBFgg5ldmVudGFwcC5sb2NhbIIQKi5ldmVudGFwcC5sb2NhbIIJ bG9jYWxob3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUA A4IBgQDm86yF5Oy3tC1qC7C7Rdqzf2PRKVzfXzytloeB5nbRWcp0fIfzeE7kD6T+ Q+pCjeNSoeCmCTjLFJCEdvSU0xFBdyybYTSga4+Pfz7a60mEa+WZp+sOliCRKmsw fGwwQTw3SRs7oVWnJZeq+aEKyANPmKs3JLuuUL7KtToPna8z1d9kBRzMhZDFdVvZ YcMtnl77RKcOFDNHq8uAn5w3GRPRF0DLGJg+5OeYHKKe6PCMw7x4h3t61ZWiiMQp cuji1pohrPZAPSp1oPb1biuVRD8QvBZ3cRC42m8lK1hfeHGjCm1w4GZw7rgDf6os pL1dZZy0IZLWhgfpD1WmmxcxZD2FlhUK6G3Roe/SWM2eV1Lfy70Sz2L2TuZWNy39 2FU0J/Oyu0BAx96PvyGU27XMMSslDfabATbzYLQ0bLP6o2uDqZ+TzbQT5AKRZe6r n5vcH+desrjLpGo9YcA8CkkZietqH6n9pPQWraZ34wIE9VLNmanCOaFLbpdv+IAl PXMieYM= -----END CERTIFICATE----- ``` ![image](https://user-images.githubusercontent.com/151924/99155749-a536f600-266f-11eb-99ce-ab657558ec96.png) Any idea what might cause this?
kerem 2026-02-25 22:32:50 +03:00
  • closed this issue
  • added the
    question
         label
kerem commented 2026-02-25 22:32:51 +03:00
Author
Owner
Copy link

@FiloSottile commented on GitHub (Nov 14, 2020):

The host machine and the docker container will have different roots. You need to copy the root from the container to the host machine before running -install. You can print the path with mkcert -CAROOT.

<!-- gh-comment-id:727257842 --> @FiloSottile commented on GitHub (Nov 14, 2020): The host machine and the docker container will have different roots. You need to copy the root from the container to the host machine before running `-install`. You can print the path with `mkcert -CAROOT`.
kerem commented 2026-02-25 22:32:51 +03:00
Author
Owner
Copy link

@sontek commented on GitHub (Nov 14, 2020):

ok, this makes sense. It generates a CA Root for each system. So if you want to share it across systems you need to:

mkcert -CAROOT

In the docker container to find the root, and then share it to the other system and then:

set $CAROOT to its directory

To the files you just got, then run:

run mkcert -install

and it allows a separate system to securely access the docker container.

<!-- gh-comment-id:727257933 --> @sontek commented on GitHub (Nov 14, 2020): ok, this makes sense. It generates a CA Root for each system. So if you want to share it across systems you need to: ``` mkcert -CAROOT ``` In the docker container to find the root, and then share it to the other system and then: ``` set $CAROOT to its directory ``` To the files you just got, then run: ``` run mkcert -install ``` and it allows a separate system to securely access the docker container.
kerem commented 2026-02-25 22:32:51 +03:00
Author
Owner
Copy link

@FiloSottile commented on GitHub (Nov 14, 2020):

Correct. Remember that if you share these files, for example by turning the container into an image and them pushing it, they can compromise the security of all machines where that root was installed.

<!-- gh-comment-id:727258137 --> @FiloSottile commented on GitHub (Nov 14, 2020): Correct. Remember that if you share these files, for example by turning the container into an image and them pushing it, they can compromise the security of all machines where that root was installed.
kerem commented 2026-02-25 22:32:51 +03:00
Author
Owner
Copy link

@FiloSottile commented on GitHub (Nov 14, 2020):

An alternative would be to generate the certificate on the host, and then copying just the certificate (not the root) into the container, instead of running mkcert inside the container.

<!-- gh-comment-id:727258259 --> @FiloSottile commented on GitHub (Nov 14, 2020): An alternative would be to generate the certificate on the host, and then copying just the certificate (not the root) into the container, instead of running mkcert inside the container.
kerem commented 2026-02-25 22:32:51 +03:00
Author
Owner
Copy link

@sontek commented on GitHub (Nov 14, 2020):

Yeah, I want to generate it in the container so each dev gets a unique one (rather than committing the cert in git). But then I need to give their host system a way to access that root so they can install it

<!-- gh-comment-id:727258271 --> @sontek commented on GitHub (Nov 14, 2020): Yeah, I want to generate it in the container so each dev gets a unique one (rather than committing the cert in git). But then I need to give their host system a way to access that root so they can install it
kerem commented 2026-02-25 22:32:51 +03:00
Author
Owner
Copy link

@sontek commented on GitHub (Nov 14, 2020):

oh, thats true I could just make each dev run the mkcert command to generate the cert first

<!-- gh-comment-id:727258363 --> @sontek commented on GitHub (Nov 14, 2020): oh, thats true I could just make each dev run the mkcert command to generate the cert first
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
v0.9.1
v0.9.0
Labels
Clear labels   
TLS stack issue

   
Windows

   
bug

   
duplicate

   
duplicate

   
enhancement

   
help wanted

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
root store

   
waiting for info
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mkcert#198
No description provided.