Chrome 107 - marks self-signed certificate Not Secure despite cert is installed

Question

I'm running create-react-app with self-signed HTTPS certificate locally. The certificate is installed in User's Trusted Root CA

Despite that Chrome still marks the website as Not Secure what for example disallows hot reloads.

And without #allow-insecure-localhost flag enabled I can't even open it. The same website is marked as Secure in Edge. Any ideas what else can I do?

Try to click anywhere on the denial page and type thisisunsafe. (link) — harrymc, Commented Nov 8, 2022 at 10:28
it just allows me to open website without #allow-insecure-localhost flag enabled but what I need is to have this website marked as Secured like it would have a valid, signed by trusted CA — micnyk, Commented Nov 8, 2022 at 11:52
It seems like Chrome starting from version 99 (or 88?) doesn't accept such certificates. You may continue to use Edge or other clones. Or get a Let's Encrypt certificate. — harrymc, Commented Nov 8, 2022 at 12:22
I have exactly the same problem the last couple of days. Very annoying! Accepting the insecurity doesn't work, indeed, since all XHR calls are still not loaded (error Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID). And @harrymc : if only that were possible, but this is a certificate for localhost for web development and even Letsencrypt points out that you need a self-signed certificate for that! — Pascal Lindelauf, Commented Nov 8, 2022 at 14:34
@PascalLindelauf: Your link also suggests that 127.0.0.1 gets a better treatment than localhost (if the latest Chrome still supports that). — harrymc, Commented Nov 8, 2022 at 15:52

Fafofu · Accepted Answer · 2022-11-09 07:39:24Z

4

Use Chrome policy: ChromeRootStoreEnabled false

answered Nov 9, 2022 at 7:39

Fafofu

562 bronze badges

1

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
– Community Bot
Commented Nov 9, 2022 at 7:40
1

I've added ChromeRootStoreEnabled with value 0 in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome and it worked. Unfortunately this policy is planned to be removed chromeenterprise.google/policies/?policy=ChromeRootStoreEnabled and I wonder why self-signed certificate for IIS works as Trusted without this policy change
– micnyk
Commented Nov 9, 2022 at 9:03
1

Of course they will delete it. Because chrome will stop using the built-in certificate store!
– Fafofu
Commented Nov 9, 2022 at 10:03
1

Although this is not a final solution (and I can't seem to use it on MacOS), it does point to the culprit and that is the introduction of Chrome's own Certificate Root Store. Unfortunately I haven't been able to find how to best deal with (self signed) SSL certificates for my development machine. For now I reverted to using Chromium v106.
– Pascal Lindelauf
Commented Nov 10, 2022 at 8:50
I'm in same boat as @PascalLindelauf. Chrome's FAQ's suggest to "Add a CA certificate to the platform root store", which I've done (I'm on a Mac also). The problem still persists.
– blomster
Commented Nov 24, 2022 at 15:12

| Show 5 more comments

Arthur Stankevich · Accepted Answer · 2022-11-24 15:04:51Z

2

If your SSL connection is to localhost, you can use "Allow insecure localhost" workaround by going to chrome://flags/#allow-insecure-localhost

answered Nov 24, 2022 at 15:04

Arthur Stankevich

1811 silver badge2 bronze badges

confirming that this works for a quick and dirty solution for local development (Chrome Version 122.0.6261.57 (Official Build) (64-bit))
– hello_earth
Commented Feb 29 at 8:30

Add a comment |

2 Answers 2