Getting ERR_CERT_AUTHORITY_INVALID in Windows Host

[jerico]

Steps to reproduce:

1. Setup a fresh Altis project using Windows
2. The resulting URL will not work due to invalid certificate
   • The root certificate that mkcert has generated is only getting installed inside WSL2
   • Because of HSTS, the user cannot visit the local site at all

Workaround:

1. Install mkcert in Windows host
   a. Install Chocolatey https://chocolatey.org/install
   b. Run choco install mkcert in PowerShell
2. Run mkcert -CAROOT in PowerShell to get where root certificate is installed in Windows host
3. In WSL2, run composer server ssl exec -- -CAROOT to get where the generated root certificate is stored
4. In Windows File Explorer, navigate to to \\wsl$\ and browse to the WSL’s CA root directory (e.g. \\wsl$\Ubuntu-20.04\home\jerico\.local\share\mkcert)
5. Copy rootCA.pem and rootCA-key.pem to Windows host CA root directory (Step 2)
6. In PowerShell, run mkcert -install - this will install the generated root certificate from WSL2
7. The browser has to be restarted for the SSL certificate to reflect

Acceptance criteria:

• ...

[tcrsavage]

+1

The above workaround steps didn't quite work for me, but I may not have followed them exactly, what did work for me:

1. Install mkcert in Windows host
   a. Install Chocolatey https://chocolatey.org/install
   b. Run choco install mkcert in PowerShell
2. Run mkcert -CAROOT in PowerShell to get where root certificate is installed in Windows host
3. In WSL2, run composer server ssl exec -- -CAROOT to get where the generated root certificate is stored
4. In Windows File Explorer, navigate to to \wsl$\ and browse to the WSL’s CA root directory (e.g. \wsl$\Ubuntu-20.04\home\jerico.local\share\mkcert)
5. Copy rootCA.pem and rootCA-key.pem from Windows host CA root directory to WSL2 directory (Step 2)
6. In PowerShell, run mkcert -install - this will install the generated root certificate from Windows
7. In WSL2, run composer server ssl exec -- -uninstall; composer server ssl exec -- -install to update to root cert from windows
8. In WSL2, run composer server ssl generate {project domain name} to generate new domain cert for project using windows root CA
9. The browser has to be restarted for the SSL certificate to reflect

[tcrsavage]

Additionally to get firefox browser to accept the cert, additional step is required -- only impacts FF

Go to: about:preferences#privacy -> View Certificates -> Authorities -> Import
Select rootCA.pem from installed directory in step 2 from above

[rmccue]

Thanks for the extra testing! Interesting though, mkcert is meant to install directly into Firefox's CA root store as well so might be something a bit dodgy there; were there any messages about that when you ran mkcert -install?

[tcrsavage]

Yep, seems to be specific to windows

mkcert -install
The local CA is already installed in the system trust store! 👍
Note: Firefox support is not available on your platform. ℹ️

[rmccue]

Aha, thanks!

[mikelittle]

Closing this as I think it is out of date.
Please re-open if required.