-
-
Notifications
You must be signed in to change notification settings - Fork 654
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mac OS Catalina invalidates virtual host certificates #640
Comments
Same exact problem. The alternative solution works until the containers are recreated. Is there a way to keep the change even when the containers are being re-built? |
@smagnaschi I was having the same issue but was able to create a workaround using the docker-compose.override.yml. Note: This is only if you are using apache-2.4. If not, the fix outlined below does not work. Place this docker-compose.override.yml file in the root of your devilbox installation, then restart devilbox. Once restarted, you should be able to run This should rebuild without issue and you should always have the correct certificate -days marker set using the above override. To remove it (and go back to normal), just delete the override file from the root of your devilbox installation. |
Perfect (for now)! Let's hope that this will be fixed for good. |
Definitely not a permanent solution, but it'll help anyone who's running Catalina and has this issue. |
Update: Smoother and more reasonable fix.The editing of the core ca-gen and cert-gen libraries were unnecessary. I have amended my version of the docker-apache-2.4 library here to allow Devilbox users to set the validity period of their SSL Certificates via the Steps:
Ways to confirm the changes worked
Where do we go from here?I am going to create a pull request at the docker-apache-2.4 repository and if @cytopia pulls it into the repository, step 2 above will no longer be required and only step 3 will be needed to set your validity period. |
thanks @tmort workaround works perfectly! |
Will be fixed here: #647 |
See Summary for a temporary fix for Catalina users
ISSUE TYPE
OS / ENVIRONMENT
SUMMARY
In Mac OS Catalina, Certificates are expected to not have a valitidy period of more than 825 days. This was first mentioned in issue #622 by @science695. Any certificates that are issued past July 1st, 2019 fall under this and will display a certificate error.
The issue is how devilbox is generating certificates. It uses a tool called cert-gen (also by @cytopia). In this tool, a validity period of 10 years (3650 days) is set, and every time a certificate (or the certificate authority) is generated in devilbox, that value is used.
Quick and Temporary fix
In order to get this working, I manually changed the cert-gen and ca-gen files found in the httpd docker container.
Backup your files and do this at your own risk.
docker-compose exec httpd bash -l
apt-get update && apt-get install vim
cd /usr/bin/
DEF_DAYS=800
DEF_DAYS=800
Example of what happens
When devilbox generate a virtual host, it uses the OpenSSL command based on the cert-gen and ca-gen scripts. By looking at the devilbox logs
docker-compose logs php -f
we can see that when a virtual host is renamed, the certificate is issued like this:httpd_1 | $ openssl x509 -req -extensions v3_req -extfile <(printf '[ req ]\nreq_extensions = v3_req\n[ v3_req ]\nsubjectAltName=DNS.1:myvhost.loc,DNS.2:*.myvhost.loc\n') -days 3650 -in /etc/httpd/cert/mass/myvhost.loc.csr -CA /ca/devilbox-ca.crt -CAkey /ca/devilbox-ca.key -CAcreateserial -out /etc/httpd/cert/mass/myvhost.loc.crt
Note the parameter -days is set to 3650 above. Once you make the changes to your cert-gen file as noted above and regenerate your virtual host, you should see something like this:
httpd_1 | $ openssl x509 -req -extensions v3_req -extfile <(printf '[ req ]\nreq_extensions = v3_req\n[ v3_req ]\nsubjectAltName=DNS.1:myvhost.loc,DNS.2:*.myvhost.loc\n') -days 800 -in /etc/httpd/cert/mass/myvhost.loc.csr -CA /ca/devilbox-ca.crt -CAkey /ca/devilbox-ca.key -CAcreateserial -out /etc/httpd/cert/mass/myvhost.loc.crt
As you can see above, the -days parameter has been modified to 800.
STEPS TO REPRODUCE
EXPECTED BEHAVIOUR
ACTUAL BEHAVIOUR
OTHER INFORMATION
Additional Reading
The text was updated successfully, but these errors were encountered: