# Self-Signed certificate not valid on MacOS Catalina **URL:** https://discourse.roots.io/t/self-signed-certificate-not-valid-on-macos-catalina/16836 **Category:** trellis **Created:** 2019-10-15T13:44:26Z **Posts:** 13 ## Post 1 by @robrecord — 2019-10-15T13:44:26Z Hi there, Since Catalina the self-signed certificates in my local trellis environments aren’t being trusted. I believe this is to do with the following issue: [https://support.apple.com/en-us/HT210176](https://support.apple.com/en-us/HT210176) On Chromium (Opera) I saw the following error: NET::ERR\_CERT\_REVOKED. I manually modified the expiry time down from 3650 days to 825, but this didn’t help (although I could see the expiry date change reflected in the certificate after destroying and reprovisioning the vm). After doing this the error changed to NET::ERR\_CERT\_INVALID. I have tried saving the certificate and importing to the keychain, marking it as always trusted… but no cigar. I don’t really know what I’m doing with the internals of Trellis. Is this something somebody else can reproduce? I don’t know what to do. Can’t load my local sites, can’t do any development. Any workarounds would be much appreciated. Other people having this issue: > > Somebody has tried to work around it here: [https://support.google.com/chrome/thread/14551925?hl=en](https://support.google.com/chrome/thread/14551925?hl=en) I tried to follow the advice, creating my own CA and wildcard certificate, but it doesn’t seem to ever get used. --- ## Post 2 by @13milliseconds — 2019-10-15T17:02:12Z I’m running into the same issue. It took a while to solve the Catalina/Vagrant path problem and now that Vagrant can mount and provision correctly I am hit with this new NET::ERR\_CERT\_REVOKED error. I hope someone managed to resolve this. --- ## Post 3 by @13milliseconds — 2019-10-17T22:54:15Z I actually used [this method](https://css-tricks.com/getting-around-revoked-certificate-osx/) to trust the certificate it is now working for me. --- ## Post 4 by @robrecord — 2019-10-18T09:55:01Z Glad to know it works for you! I just realised that after reprovisioning, my certificate was somehow configured for [example.com](http://example.com) and that’s why I was seeing NET::ERR\_CERT\_INVALID - I think this occurred because I tried turning off self-signed certificates in trellis and hadn’t refreshed. So I reprovisioned vagrant again, removed the certificates I added from the keychain, and [example.com](http://example.com) is gone but I am getting a different error now. This one does allow me to bypass it and get to the site (phew), but still I’d like to solve it. The error is NET::ERR\_CERT\_COMMON\_NAME\_INVALID and it’s because the DNS name is “mydomain.testDNS:” instead of “mydomain.test” - somehow “DNS:” has been added to the end of it. Have I accidentally messed up Trellis somehow to cause this? EDIT: I’ve updated the file trellis/roles/wordpress-setup/tasks/self-signed-certificate.yml to the latest version from the repo and re-provisioned but the error is the same as the original: NET::ERR\_CERT\_REVOKED --- ## Post 5 by @robrecord — 2019-10-22T11:19:25Z Using keychain to trust the certificate doesn’t seem to work for me on Chromium-based browsers. The only way I can view the site is on Safari, where I have to click through the error messages to let it show me the site. Chromium doesn’t allow this. Has anyone also got this issue on a fresh install? --- ## Post 6 by @kellymears — 2019-10-22T17:11:39Z @robrecord You are not alone! I am getting this issue with a fresh site install (not OS install). For now I’ve just been running `wp search-replace` to revert existing sites back to `http` as I need to work on them. Obviously not really an ideal solution! --- ## Post 7 by @robrecord — 2019-10-23T12:26:12Z Just to clarify the situation: - Under MAcOS Catalina, self-signed certificates from Trellis are causing **NET::ERR\_CERT\_REVOKED** [no screenshot available] - Changing expiry from 3650 to 825 days, as per new MacOS recommendations, changes error to **NET::ERR\_CERT\_COMMON\_NAME\_INVALID** - Details of NET::ERR\_CERT\_COMMON\_NAME\_INVALID show that Subject Alt Names are malformed, with the string “DNS:” appended to the end of the domains: ![42](https://discourse.roots.io/uploads/default/original/2X/2/260c7842a6bb44a43d5c15ae626b846ebc585a75.png) - I believe that removing the www subdomain changes the error to **NET::ERR\_CERT\_INVALID** - I have not tried to replicate this, but that’s what I did and that’s what I’m currently getting. ![55](https://discourse.roots.io/uploads/default/original/2X/5/5ae557ec4b62ef68e514885647cf82a52d8719ca.png) ![50](https://discourse.roots.io/uploads/default/original/2X/f/f9f075ba7b4da107c81626f1c3b6e106404fd286.jpeg) - If I trust the certificate in Keychain, I still get an error but with more information: ![34](https://discourse.roots.io/uploads/default/original/2X/7/788c5c4f677556f9b0109a9125f3b1670062bc32.png) ![05](https://discourse.roots.io/uploads/default/original/2X/0/08b27176635e7001a28de63b73f7a5a8183739e8.jpeg) --- ## Post 8 by @owi — 2019-10-23T12:53:27Z I had the same issue when updating to Catalina 2 weeks ago. As you mentioned playing with the expiry time etc. did not help either. Cert was still refused by chromium based browsers (it worked in Safari, Firefox etc.) What I did to quasi-solve the problem was to go to keychain and find that certificate and set to “always” trust for all kinds of communication. I know that this is not a proper solution but for me was more than enough for local environment. That is obviously unacceptable for anything going beyond local. --- ## Post 9 by @robrecord — 2019-10-23T14:00:35Z Thanks owi, I tried exactly that and it didn’t work for me so something in my project, or that I’m doing, must be different. I wish I knew what. I’ve opened a bug report on github: [https://github.com/roots/trellis/issues/1117](https://github.com/roots/trellis/issues/1117) --- ## Post 10 by @owi — 2019-10-23T16:34:06Z Are you sure you are having it like that? ![09](https://discourse.roots.io/uploads/default/original/2X/f/f01638023ea1994d399d019131353ab022c83d82.png) Also please make sure that you restart the browser afterwards and clear the cache for that site --- ## Post 11 by @robrecord — 2019-10-24T10:52:51Z I did mark it as always for all items, yes - but I did not restart the browser. Now I’ve done that and I am able to bypass the warning with a few clicks. Thank you! --- ## Post 12 by @owi — 2019-10-24T12:08:53Z I am glad that it worked for you - though at the same time I am sad that we do not know what is the root cause of that :wink: --- ## Post 13 by @system — 2019-11-26T13:44:30Z This topic was automatically closed after 42 days. New replies are no longer allowed.