SSL certificate doesn't work for localhost on Ubuntu 16.04

Question

Im trying to add a certificate for my vps on localhost, so I can access my node server running on port 1337 from my vps using https://localhost:1337.

Currently it gives me an "Your connection is not secure" when accessed by Firefox on my vps. However accessing https://my-website.example:1337 works fine.

Steps I did so far:

1. cd /usr/local/share/ca-certificates
2. openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout localhost.key -out localhost.crt
   • Country Name: empty
   • State or Province name: empty
   • Locality name: empty
   • Organization name: empty
   • Organizational unit name: empty
   • Common Name: localhost
   • Email address: empty
3. chmod 644 localhost.crt
4. chmod 644 localhost.key
5. sudo update-ca-certificates

Answer 1

The certificate must be also added to the browser trusted store, the step you made is just for tools like CURL, WGET, etc.

In my docker containers for local development I use a set of bash scripts to setup a Root Certificate Authority that I will use to issue all domain certificates I need for development.

The browser only needs to know about the Root Certificate Authority and your server will need to know about all domain certificates you issue.

Please try the below set of scripts in this order:

./setup-root-certificate.sh "root-ca.key" "root-ca.pem" "RootCertificateAuthority" && \
./create-domain-certificate.sh "localhost" "root-ca.key" "root-ca.pem" && \
./add-certificate-to-browser.sh "root-ca.pem" "RootCertificateAuthority"

Now just add the Domain certificate into your Apache, Nginx or any other server you are using and restart your browser and server.

This solution does not need that you add an exception on the first time you visit your localhost domain.

ALERT: This scripts have been used inside Docker containers and I have not tested them in the host machine directly, but should work in same way.

To setup a root certificate: ./setup-root-certificate.sh

#!/bin/bash

set -eu

###
# inspired https://fabianlee.org/2018/02/17/ubuntu-creating-a-trusted-ca-and-san-certificate-using-openssl-on-ubuntu/
###


ROOT_CA_KEY="${1?Missing Name for root certificate KEY file}"
ROOT_CA_PEM="${2?Missing Name for root certificate PEM file}"
ROOT_CA_NAME="${3?Missing Certificate Name}"
CONFIG_FILE="${4:-openssl.cnf}"

if [ ! -f ROOT_CA_PEM ]
    then
        printf "\n>>> CREATING A ROOT CERTIFICATE <<<\n"

        openssl req \
            -new \
            -newkey rsa:4096 \
            -days 3650 \
            -nodes \
            -x509 \
            -extensions v3_ca \
            -subj "/C=US/ST=CA/L=SF/O=${ROOT_CA_NAME}/CN=${ROOT_CA_NAME}" \
            -keyout ${ROOT_CA_KEY} \
            -out ${ROOT_CA_PEM} \
            -config ${CONFIG_FILE}

        printf "\n>>> ADDING ROOT CERTIFICATE TO THE TRUSTED STORE <<<\n"

        # add certificate to the trust store
        cp ${ROOT_CA_PEM} /usr/local/share/ca-certificates/self-signed-root-ca.crt
        update-ca-certificates

        # verifies the certificate
        openssl x509 -in ${ROOT_CA_PEM} -text -noout > "${ROOT_CA_NAME}.txt"

        printf "\n >>> ROOT CERTICATE CREATED SUCCESEFULY<<<\n"

    else
        printf "\n >>> ROOT CERTICATE ALREADY EXISTS <<<\n"
fi

To create the Domain certificate: ./create-domain-certificate.sh

    #!/bin/bash

set -eu

###
# inspired https://fabianlee.org/2018/02/17/ubuntu-creating-a-trusted-ca-and-san-certificate-using-openssl-on-ubuntu/
###


DOMAIN="${1:-example.com}"
ROOT_CA_KEY="${2?Missing Name for root certificate KEY file}"
ROOT_CA_PEM="${3?Missing Name for root certificate PEM file}"

DOMAIN_CA_KEY="${DOMAIN}.key"
DOMAIN_CA_CSR="${DOMAIN}.csr"
DOMAIN_CA_CRT="${DOMAIN}.crt"
DOMAIN_CA_TXT="${DOMAIN}.txt"
CONFIG_FILE="${DOMAIN}.cnf" 


printf "\n>>> MERGINGING CONFIGURATION FROM ${DOMAIN_CA_TXT} INTO ${CONFIG_FILE} <<<\n"
cat openssl.cnf ${DOMAIN_CA_TXT} > ${CONFIG_FILE}


printf "\n>>> GENERATING KEY FOR DOMAIN CERTIFICATE: ${DOMAIN_CA_KEY} <<<\n"

# generate the private/public RSA key pair for the domain
openssl genrsa -out ${DOMAIN_CA_KEY} 4096

printf "\n>>> GENERATING CSR FOR DOMAIN CERTIFICATE: ${DOMAIN_CA_CSR} <<<\n"

# create the server certificate signing request:
openssl req \
    -subj "/CN=${DOMAIN}" \
    -extensions v3_req \
    -sha256 \
    -new \
    -key ${DOMAIN_CA_KEY} \
    -out ${DOMAIN_CA_CSR}

printf "\n>>> GENERATING CRT FOR DOMAIN CERTIFICATE: ${DOMAIN_CA_CRT} <<<\n"

# generate the server certificate using the: server signing request, the CA signing key, and CA cert.
openssl x509 \
            -req \
            -extensions v3_req \
            -days 3650 \
            -sha256 \
            -in ${DOMAIN_CA_CSR} \
            -CA ${ROOT_CA_PEM} \
            -CAkey ${ROOT_CA_KEY} \
            -CAcreateserial \
            -out ${DOMAIN_CA_CRT} \
            -extfile ${CONFIG_FILE}

# verifies the certificate
openssl x509 -in ${DOMAIN_CA_CRT} -text -noout > ${DOMAIN}.txt

printf "\n >>> CERTIFICATE CREATED FOR DOMAIN: ${DOMAIN} <<<\n"

To add the root certificate into the browser trusted certificates store: ./add-certificate-to-browser.sh

#!/bin/bash

###
# https://thomas-leister.de/en/how-to-import-ca-root-certificate/
###


### Script installs root.cert.pem to certificate trust store of applications using NSS
### (e.g. Firefox, Thunderbird, Chromium)
### Mozilla uses cert8, Chromium and Chrome use cert9

###
### Requirement: apt install libnss3-tools
###


###
### CA file to install (CUSTOMIZE!)
###

CA_PEM="${1?Missing file name for the PEM certificate}"
CA_NAME="${2?Missing Certificate Name}"
BROWSER_CONFIG_DIR="${3:-/home}"

###
### For cert8 (legacy - DBM)
###

for certDB in $(find ${BROWSER_CONFIG_DIR} -name "cert8.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${CA_NAME}" -t "TCu,Cu,Tu" -i ${CA_PEM} -d dbm:${certdir}
done


###
### For cert9 (SQL)
###

for certDB in $(find ${BROWSER_CONFIG_DIR} -name "cert9.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${CA_PEM} -d sql:${certdir}
done