Regenerate included self-signed SSL certificate with less than 825 day validity period

[timwood]

Issue Type

• Bug Report / Support Request

Your Environment

$ vagrant --version && echo "VirtualBox `vboxmanage --version`" && ansible --version
Vagrant 2.2.6
VirtualBox 6.0.14r133895
-bash: ansible: command not found

Your OS

• macOS (Catalina 10.15.2)

Summary

Make sure DrupalVM self-signed SSL certificate meets latest Apple MacOS requirements/constraints from Catalina (https://superuser.com/a/1492657). Catalina now requires that SSL certificates issued after 7/1/2019 include the following constraints:

• The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
• The validity period may not be longer than 825 days.

I'm pretty sure my issue is due to the validity period going till 2029, much longer than 825 days, but I didn't know how to check for the other constraint listed above. The error Chrome throws is NET::ERR_CERT_REVOKED and it doesn't allow you to pass the certificate error screen with an exclusion. But the typing thisisunsafe trick works.

[phizev]

@timwood I've been using workaround Ansible tasks on Ubuntu 18.04 for this for a while, this should also allow the server to make HTTPS requests to itself without having to accept invalid certificates. It should cover all of the tighter certificate requirements, which I believe are also going to impact software beyond MacOS in time. The tasks below should be self-explanatory as to what they are doing. The script which is modified has the 10 year period hard coded within it. While this is not a proper fix for the issue, it has resolved the issue for my requirements.

It also leads to a certificate which is wildcarded for subdomains of {{ vagrant_hostname }}.

It needs to go into the location referred to by post_provision_tasks_dir: "{{ config_dir }}/my/tasks/", in your config.yml.

---
# This is a gross way of handling this, but given that it's for a dev environment,
# time/benefit trade off, and grossness of current workaround...
- name: Set hostnames for snakeoil certificate, and alter extendedKeyUsage.
  lineinfile:
    path: /usr/share/ssl-cert/ssleay.cnf
    regexp: "{{ item.regex }}"
    line: "{{ item.line }}"
  with_items:
    - { regex: '^commonName', line: "commonName = {{ vagrant_hostname }}" }
    - { regex: '^subjectAltName', line: "subjectAltName = DNS:{{ vagrant_hostname }},DNS:*.{{ vagrant_hostname }},IP:{{ vagrant_ip }}" }
    - { regex: '^extendedKeyUsage', line: "extendedKeyUsage = serverAuth" }

- name: Modify script to reduce validity period to 2 years.
  replace:
    path: /usr/sbin/make-ssl-cert
    regexp: '(.*)-days \d+(.*)'
    replace: '\1-days 730\2'

- name: Regenerate snakeoil certificate.
  command: /usr/sbin/make-ssl-cert generate-default-snakeoil --force-overwrite
  notify:
    - restart webserver
    - restart postfix

- name: Regenerate the certificate store.
  command: /usr/sbin/update-ca-certificates --fresh

[stale]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[joestewart]

This is still valuable information.

[stale]

This issue is no longer marked for closure.

[geerlingguy]

@joestewart - I believe the SSL cert that's created was set up by the OS itself, and that Drupal VM's automation doesn't actually do any of the work in generating a cert... is this something that might benefit more from some documentation?

Or I guess maybe we could touch it up in a new task include—as I see @phizev's solution modifies the snakeoil cert to work with the right time period. One annoying thing as that the solution is specific to Ubuntu, and I don't believe it would work out of the box with Debian or CentOS.

[geerlingguy]

Not Mac-specific, so removing that label.

[jonnyeom]

I really like @phizev 's solution. It works super solid on every project of mine.
I think this could be an option/feature to add.