1

We have a set of internal (dev/test/QA/ORT/preprod LAMP servers that we use self signed certificates for. Normally this isn't a problem - we just click the exception ("Proceed to w.x.y.z.(unsafe)") and continue on with our day.

Recently, we've been experiencing an issue with Chrome where Chrome appears to "forget" that we've accepted the exception, and we have to accept the exception again. And this happens often enough that it'll occur in the middle of clicking a "submit" button, which breaks other things in our product.

Has anybody else experienced this? Are there any workarounds (other than using proper certificates, using a different browser, or not using HTTPS)?

This is Apache 2.2.29 on Centos 5 (Linux 2.6.18-406.el5, x64)

Also, apologies if this is the wrong forum for this - not sure where this should go.

user264717
  • 11
  • 1
  • 1
    No idea whether it's a Chrome bug, but the "workaround", by which I mean "right way to do it and clicking through every time is the real workaround" is to publish your internal self-signed Certificate Authority certificate to all your computers. Then they will trust your self signed certificates and give no warning. On a Windows domain you can do this distribution with group policy easily enough, otherwise it's going to depend on your workstation OSs and management tools. – TessellatingHeckler Oct 15 '15 at 18:20
  • This is not a "bug", is a security measure of Chrome. Not a question for this forum. But the above comment is surely right on the measure it suggests. – Renato Oliveira Oct 16 '15 at 09:29
  • I guess this is a bit late, but yes, confirmed: it is a bug (https://code.google.com/p/chromium/issues/detail?id=516808). This is for a system that I deploy and destroy a dozen times a day during testing, so internal CA stuff doesn't work for t his workflow. But upgrading Chrome apparently fixes the issue. – user264717 Nov 04 '15 at 19:40

1 Answers1

0

My recommendation to you would be to set up a testing CA, and install the testing CA certificate only on the computers involved in the various test stages you have. Then, issue the application certificates from that CA instead of making self-signed ones. You will save all kinds of time.

As for why Chrome is doing this, there could be a number of reasons. For example, if the host in the URL changes during some request, that would cause it. There might be a bug (or misfeature) causing it to require the certificate exception be separately asserted in each context it is required in. It could be something else too. But, you will find that with security considerations being more and more the focus of browser development, and the common understanding that unauthenticated encryption is insecure, using certificates that don't correctly validate will cause all kinds of subtle little problems. Make a CA. Your test will be more realistic and you will have less pain.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92