31

I'm testing a device which generates a new self-signed certificate after each hard reset.

Immediately after installing MacOS Catalina, recent versions of Chrome (and Brave) have started throwing an NET::ERR_CERT_REVOKED exception, even though there is definitely no published CRL for this device, and the certificates generated on reset have unique serial numbers.

The error message has the following form:

You cannot visit [address redacted] right now because its certificate has been revoked. Network errors and attacks are usually temporary, so this page will probably work later.

Clicking on the "Advanced" button does not present any way to override this error.

What's going on here? How can I work around it, without making my browser unsafe for general-purpose usage (as would be the case by telling it to ignore all certificate errors indiscriminately)?

Charles Duffy
  • 1,910
  • 2
  • 14
  • 18
  • Possible duplicate of https://superuser.com/questions/1152291/chrome-and-firefox-ignore-certificate-errors – garethTheRed Oct 14 '19 at 17:13
  • Hmm. It's a *possible* duplication, but this just started happening -- as in, within the last week -- so there may well be a different root cause than one would see reflected in answers to a question from 2016. Then again, if one just wants a workaround, not a root cause, then the answer there may be adequate. – Charles Duffy Oct 14 '19 at 17:29
  • Try to start Chrome with the parameter `-ignore-certificate-errors`. – harrymc Oct 14 '19 at 17:33
  • @harrymc, yes, that's that's what the existing knowledge-base entries teach -- and that would work if I were using a separate browser instance for nothing but testing. That's nothing remotely like an ideal solution, though; I'd rather know *why* this is happening (is there a cache of prior serial numbers seen for the same CN?) and how to directly address it (where does that cache live? Can it be cleaned up?). – Charles Duffy Oct 14 '19 at 17:40
  • I have similar problem too. Would be great to find out where the cache is and purge it. In my case, seems like Charles is using an older certificate. – Mohamed El Mahallawy Oct 16 '19 at 23:50
  • @MohamedElMahallawy, ...the issue was not "older", but "with a validity period longer than Catalina permits". – Charles Duffy Oct 16 '19 at 23:54
  • What version of https / TLS etc is the site running? – Hefewe1zen Oct 19 '19 at 00:13
  • @MohamedElMahallawy Charles does cache the certificates it generates for servers, but it replaces them immediately if the server certificate changes. If it didn't seem to, does restarting Charles address it? – Karl von Randow Oct 29 '19 at 09:02
  • @KarlvonRandow it does not. I do think there is either: 1. caching problem because I see a different expiry date for the certificate when Charles is running vs not. 2. I think Catalina introduced expiry limits on certificates and that might be a problem. – Mohamed El Mahallawy Oct 31 '19 at 05:17
  • @MohamedElMahallawy That's odd that there'd be a different expiry on the real certificate. Very strange. Is the certificate in question a self-signed certificate? – Karl von Randow Nov 03 '19 at 00:05
  • @KarlvonRandow it is self-signed – Mohamed El Mahallawy Nov 18 '19 at 23:35

6 Answers6

46

A quick workaround (ensure you trust the site)

In the chrome browser whilst on the page, type:

thisisunsafe
Jossef Harush Kadouri
  • 1,161
  • 13
  • 21
35

Apple has introduced a series of new requirements for SSL certificates to be accepted by Catalina, documented at https://support.apple.com/en-us/HT210176. To summarize here:

  • Key size must be at least 2048 bits.
  • Hash algorithm must be SHA-2 or newer.
  • DNS names must be in a SubjectAltName, not in the CN field only.

Moreover, for certificates issued after 2019-07-01:

  • The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
  • The validity period may not be longer than 825 days.

...and, for certificates issued after 2020-08-01 (per HT211025):

  • The validity period may not be longer than 398 days
Charles Duffy
  • 1,910
  • 2
  • 14
  • 18
EOhm
  • 608
  • 5
  • 7
  • Thank you for that link -- it's almost certainly a proper answer to my question! I've proposed an edit putting the essential information in the answer itself, as required by rules for most Stack Exchange sites (see https://meta.stackexchange.com/questions/225370/your-answer-is-in-another-castle-when-is-an-answer-not-an-answer for an extended discussion); when that edit is applied, I'll be glad to accept this. – Charles Duffy Oct 15 '19 at 19:28
  • Yes I think at least the requirement to use SAN for all names (so that in fact cn is more or less ignored), the id-kp-ServerAuth EKU extension will cause many certificates not issued by professional or at least well informed CAs to become suddenly invalid from that perspective. Also quite some self-signed might have a longer validity period then 825 days (or are created as such if not knowing this new limitation).. The first to points are covered by modern OpenSSL versions and such as default, I think. – EOhm Oct 15 '19 at 20:45
  • Fixed it for me.. The 825 days for the self signed certificate where my root cause. The CA cert ca still be valid for a longer period. – gabel Oct 28 '19 at 07:53
  • yep the 825 days for me did it. couldn't figure out why my site worked in windows but not mac. thanks for this info, saved the day! – Vinny Mar 03 '20 at 23:06
8

If you need a workaround to get the site working without replacing the certificate you can do the following.

  1. Download the certificate from the server (using another browser or with openssl)
  2. Install the certificate into Keychain Access under the login store
  3. Set the certificate to "always trust" by double clicking on it once it's been installed.
Daniel
  • 81
  • 2
4

Looks like Catalina has some new requirements on certificate signatures. Charles probably needs to update their cert generation.

https://forums.developer.apple.com/thread/119877

Thomas Williams
  • 49
  • 1
1

Additional information for certificates issued after September of 2020:

TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days

https://support.apple.com/en-us/HT211025

https://support.apple.com/en-us/HT210176

Pavel Tsarenko
  • 11
  • 1
-2

Yes...it's correct that on MacOS Catalina Chrome and Safari give "NET::ERR_CERT_REVOKED" error on self-signed certificate, due to various reasons. But to quick start your work you can use Mozilla Firefox. I installed the Mozilla browser and it worked for me.

Sam Jha
  • 97
  • 1