SFTP Gateway 2.0 Bypass SSL Error in Chrome (MacOS Catalina)
Overview
By default, SFTP Gateway is configured with a self-signed SSL certificate, which is used to encrypt HTTPS traffic to
the user management website. This produces an error in Google Chrome: NET::ERR_CERT_AUTHORITY_INVALID
.
Previously, you could bypass this error by clicking on Advanced
and then Proceed (unsafe)
.
But with the latest MacOS Catalina update, you now encounter a different error: NET::ERR_CERT_INVALID
. This error
does not give you the option to proceed to the website.
Here are a few workarounds. (Scroll to the end to skip to our recommended approach.)
Launch Google Chrome with a special Flag (Not Recommended)
According to this article, you should be able to launch Google Chrome with a special flag:
--ignore-certificate-errors
From Terminal on your Mac, run the following command:
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ignore-certificate-errors &> /dev/null &
This launches a new window of Chrome. However, this does not appear to be working in our testing.
Use Safari Instead
One approach is to use Safari. You can still get past the SSL warnings. However, you will be required to enter your Mac password when visiting the site.
The drawback of using Safari is that there is a bug where private keys are formatted improperly when downloaded. See this article.
Obtain a valid SSL certificate using LetsEncrypt
You can obtain a valid SSL certificate by installing LetsEncrypt. See this article.
The drawback is that you now have to maintain this SSL certificate, and renew it once every few months.
Fix the Self-Signed SSL Certificate (Recommended)
To give some background, MacOS Catalina has some new requirements. This includes adding the extendedKeyUsage
flag
to your self-signed SSL cert.
To do this, SSH into your EC2 instance and run the following commands:
sudo su
cd /etc/nginx/ssl/
This is where your existing self-signed SSL certificate is stored.
Now, create a file named myconfig.cnf
with the following contents:
[req]
prompt = no
distinguished_name = req_distinguished_name
[req_distinguished_name]
commonName = localhost
C = NA
ST = NA
L = NA
O = NA
OU = NA
CN = NA
[server_extension]
extendedKeyUsage = serverAuth
A few things to point out:
- There's a setting that accepts the defaults without prompting you.
- The necessary
extendedKeyUsage
property is set.
Next, run the following command:
openssl req -x509 \
-nodes \
-days 365 \
-newkey rsa:4096 \
-keyout website.key \
-out website.bundle.crt \
-extensions server_extension \
-config myconfig.cnf
This creates a new self-signed SSL certificate. Here are a few things to point out:
- The key and cert names are identical to your existing self-signed SSL cert, and will overwrite them.
- You are referencing the
server_extension
section of themyconfig.cnf
file you created earlier. - Some settings like
extendedKeyUsage
are not supported at theopenssl
command line, which is why we need to go to the trouble of creating a config file. See this article.
Finally, restart Nginx.
nginx -t && service nginx restart
You should now be able to bypass the SSL warning as before.