By default, SFTP Gateway is configured with a self-signed SSL certificate, which is used to encrypt HTTPS traffic to
the user management website. This produces an error in Google Chrome:
Previously, you could bypass this error by clicking on
Advanced and then
But with the latest MacOS Catalina update, you now encounter a different error:
NET::ERR_CERT_INVALID. This error
does not give you the option to proceed to the website.
Here are a few workarounds. (Scroll to the end to skip to our recommended approach.)
Launch Google Chrome with a special Flag (Not Recommended)
According to this article, you should be able to launch Google Chrome with a special flag:
From Terminal on your Mac, run the following command:
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ignore-certificate-errors &> /dev/null &
This launches a new window of Chrome. However, this does not appear to be working in our testing.
Use Safari Instead
One approach is to use Safari. You can still get past the SSL warnings. However, you will be required to enter your Mac password when visiting the site.
The drawback of using Safari is that there is a bug where private keys are formatted improperly when downloaded. See this article.
Obtain a valid SSL certificate using LetsEncrypt
You can obtain a valid SSL certificate by installing LetsEncrypt. See this article.
The drawback is that you now have to maintain this SSL certificate, and renew it once every few months.
Fix the Self-Signed SSL Certificate (Recommended)
To give some background, MacOS Catalina has some new requirements. This includes adding the
to your self-signed SSL cert.
To do this, SSH into your EC2 instance and run the following commands:
sudo su cd /etc/nginx/ssl/
This is where your existing self-signed SSL certificate is stored.
Now, create a file named
myconfig.cnf with the following contents:
[req] prompt = no distinguished_name = req_distinguished_name [req_distinguished_name] commonName = localhost C = NA ST = NA L = NA O = NA OU = NA CN = NA [server_extension] extendedKeyUsage = serverAuth
A few things to point out:
- There's a setting that accepts the defaults without prompting you.
- The necessary
extendedKeyUsageproperty is set.
Next, run the following command:
openssl req -x509 \ -nodes \ -days 365 \ -newkey rsa:4096 \ -keyout website.key \ -out website.bundle.crt \ -extensions server_extension \ -config myconfig.cnf
This creates a new self-signed SSL certificate. Here are a few things to point out:
- The key and cert names are identical to your existing self-signed SSL cert, and will overwrite them.
- You are referencing the
server_extensionsection of the
myconfig.cnffile you created earlier.
- Some settings like
extendedKeyUsageare not supported at the
opensslcommand line, which is why we need to go to the trouble of creating a config file. See this article.
Finally, restart Nginx.
nginx -t && service nginx restart
You should now be able to bypass the SSL warning as before.