Chrome on MacOS Catalina Throwing NET::ERR_CERT_REVOKED

[arambau]

Possibly related to https://support.apple.com/en-us/HT210176.

Subject: localhost

Issuer: localhost

Expires on: Sep 30, 2069

Current date: Oct 13, 2019

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIDmzCCAoOgAwIBAgIJAMWdFd+lpixsMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
VQQGEwJDWTETMBEGA1UECBMKQ3liZXJzcGFjZTEaMBgGA1UEBxMRU1NMIENvbmZp
ZyBCYXNlIDExEjAQBgNVBAoTCU1hdmVyaWNrczEjMCEGA1UECxMaVW5pdCBUZXN0
aW5nIChzZWxmLXNpZ25lZCkxEjAQBgNVBAMTCWxvY2FsaG9zdDAgFw0xOTEwMTQw
MDExMDdaGA8yMDY5MTAwMTAwMTEwN1owgYsxCzAJBgNVBAYTAkNZMRMwEQYDVQQI
EwpDeWJlcnNwYWNlMRowGAYDVQQHExFTU0wgQ29uZmlnIEJhc2UgMTESMBAGA1UE
ChMJTWF2ZXJpY2tzMSMwIQYDVQQLExpVbml0IFRlc3RpbmcgKHNlbGYtc2lnbmVk
KTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA10hr9AV6T5gQPmRkCJR/JNnBYSDZGcvhWxvaT+ca6BKEp2W+Oli9EynQ
IJkVb3NbsJmQC3j7khhf7Z+7olof8zCddfSmukuewCqdqc+EAdEPkI09g8W2r4G1
OhEcfYcVAVT2PeeQjJcDCXMMrsGJeSPPikLTxmk1FfPFIWqoa9L3GucvM9tKTey/
cRCJovzQxnqowJR5To41uefQmHpsCQRzyyEfUoUUG8MSiPe9dt2W4sV2z3bAs1ml
7+ieYdSfpgcJdLI8rHi2LklDp4QgId5TpG/FW6Kq8hd0mxdi7q9qK9qiuQSj4nTt
fIENRBKO+Uxav5ZRUPmZw1G2Ro74iwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBv
Tf1OXfxAW+uYO/Re/9RSwf7PwhSAwoF1usD1KZ/Uw5pAAG9sV5jVQOTUxJ9Aa5/W
bT6vDXs26UbuFJ/oBQn3U6ZXSR8TR3dra2gBtcbHmDS8wZEPu4/HO7AWjCnSz83f
EReCTF7ohYNPvI6HI+mbuXgqZhZmpKcObv3oaAn7QTM1bUYExpzlu2duAdsm02v/
rPEGFGoGTmQjJ+FPMkwcsjLQTg+KO6Z/Ny1iAX3lxOQc/r2KD0wk0Yjvl/gGimAP
gkgMDnfx4fTG7xsg/oUL6wDluwqCRur73bIilVM+t/EnoiyEL2X3SGIf6T12FuEv
DdCaJ2jpK8YAMi6RUfMx
-----END CERTIFICATE-----

[ignasi35]

Hi @arambau, can you share the steps to reproduce the issue?

[arambau]

This was observed with the Play Framework. The simplest way to reproduce the issue is:

1. Run: sbt new playframework/play-scala-seed.g8
2. Accept all of the defaults
3. Change directory, cd play-scala-seed
4. Run: sbt run -Dhttp.port=disabled -Dhttps.port=9443
5. Browse to https://127.0.0.1:9443
6. In Chrome on MacOS Catalina (10.15), observe "NET::ERR_CERT_REVOKED"

I should mention, the Chrome version:
77.0.3865.120 (Official Build) (64-bit)

[ignasi35]

Hi @arambau, the certificates ssl-config produces on-the-fly are self-signed and issued to localhost (not 127.0.0.1). Other than that, they already use 2048bit keys and SHA-2 family signatures.

On top of that, the issue you report is ERR_CERT_REVOKED instead of an error indicating it is self-signed (NET::ERR_CERT_AUTHORITY_INVALID) or for an invalid host (127.0.0.1 instead of localhost) so it looks like it was already blacklisted on your machine.

Can you clean your local target/ folder (where the temporal, on-the-fly certificates are stored) and try again?

Also, any extra information you can provide to help reproduce will be helpful.

PS: I'm also using Chrome 77.0.3865.120 (but not Catalina OSX)

[arambau]

That didn't seem to have any effect, however, setting the flag chrome://flags/#allow-insecure-localhost, did. Whatever the cause is with the self-signed certificate, it's Chrome that has the problem. Safari doesn't present the same problem. What's interesting is, if I present a self-signed certificate as localhost with the new Catalina restrictions <= 825 days of validity, Chrome has no problem with it. It throws the usual invalid warning, but allows me to proceed.

Just to give some history. All of these Play Framework sites worked fine last week before the Catalina and Chrome updates. Unfortunately, I don't know which broke it... or both.

[arambau]

For those looking for a workaround inside of Chrome without using Safari, after being presented the NET::ERR_CERT_REVOKED, type "thisisunsafe" on top of the page (your typed text will not show, but the page should refresh and bypass the error). (https://podtech.io/os/mac-osx/chrome-catalina-certificate-issue/).