SFTP Gateway Support

1.0.0

SFTP Gateway 2.0 Bypass SSL Error in Chrome (MacOS Catalina)

Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.

Overview

By default, SFTP Gateway is configured with a self-signed SSL certificate, which is used to encrypt HTTPS traffic to the user management website. This produces an error in Google Chrome: NET::ERR_CERT_AUTHORITY_INVALID.

Previously, you could bypass this error by clicking on Advanced and then Proceed (unsafe).

But with the latest MacOS Catalina update, you now encounter a different error: NET::ERR_CERT_INVALID. This error does not give you the option to proceed to the website.

Here are a few workarounds. (Scroll to the end to skip to our recommended approach.)

Launch Google Chrome with a special Flag (Not Recommended)

According to this article, you should be able to launch Google Chrome with a special flag:

--ignore-certificate-errors

From Terminal on your Mac, run the following command:

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ignore-certificate-errors &> /dev/null &

This launches a new window of Chrome. However, this does not appear to be working in our testing.

Use Safari Instead

One approach is to use Safari. You can still get past the SSL warnings. However, you will be required to enter your Mac password when visiting the site.

The drawback of using Safari is that there is a bug where private keys are formatted improperly when downloaded. See this article.

Obtain a valid SSL certificate using LetsEncrypt

You can obtain a valid SSL certificate by installing LetsEncrypt. See this article.

The drawback is that you now have to maintain this SSL certificate, and renew it once every few months.

Fix the Self-Signed SSL Certificate (Recommended)

To give some background, MacOS Catalina has some new requirements. This includes adding the extendedKeyUsage flag to your self-signed SSL cert.

To do this, SSH into your EC2 instance and run the following commands:

sudo su
cd /etc/nginx/ssl/

This is where your existing self-signed SSL certificate is stored.

Now, create a file named myconfig.cnf with the following contents:

[req]
prompt = no
distinguished_name = req_distinguished_name

[req_distinguished_name]
commonName = localhost
C = NA
ST = NA
L = NA
O = NA
OU = NA
CN = NA

[server_extension]
extendedKeyUsage = serverAuth

A few things to point out:

  • There's a setting that accepts the defaults without prompting you.
  • The necessary extendedKeyUsage property is set.

Next, run the following command:

openssl req -x509                        \
            -nodes                       \
            -days 365                    \
            -newkey rsa:4096             \
            -keyout website.key          \
            -out website.bundle.crt      \
            -extensions server_extension \
            -config myconfig.cnf

This creates a new self-signed SSL certificate. Here are a few things to point out:

  • The key and cert names are identical to your existing self-signed SSL cert, and will overwrite them.
  • You are referencing the server_extension section of the myconfig.cnf file you created earlier.
  • Some settings like extendedKeyUsage are not supported at the openssl command line, which is why we need to go to the trouble of creating a config file. See this article.

Finally, restart Nginx.

nginx -t && service nginx restart

You should now be able to bypass the SSL warning as before.

Install SSL Certificate (GoDaddy)SFTP Gateway 2.0 CloudFormation Timeout