You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Server (where the certificate is loaded): localhost
Client (e.g. browser, CLI tool, or script): all
What you did
mkcert -install
The local CA is already installed in the system trust store! 👍
The local CA is already installed in the Firefox and/or Chrome/Chromium trust store!
I installed it and it seems to be fine, it put the certificate in dirs:
The check to see if the certificate is added to the root passed successfully: openssl verify -verbose -CAfile /etc/ssl/certs/ca-certificates.crt /home/maxim/.local/share/mkcert/rootCA.pem /home/maxim/.local/share/mkcert/rootCA.pem: OK
It also appeared in the root certificates of Firefox.
I generated certs for my local sites, assigned them to www-data user, and added links to the nginx config.
What went wrong
Firefox sees the certificate, but there is an error: SEC_ERROR_UNKNOWN_ISSUER
In curl too: SSL certificate problem: unable to get local issuer certificate
curl log
✦6 ➜ curl -v https://example.local/
* Trying 127.0.1.1:443...
* Connected to example.local (127.0.1.1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
testssl output:
(NOT ok chain incomplete error)
Start 2023-04-11 21:45:19 -->> 127.0.1.1:443 (example.local) <<--
rDNS (127.0.1.1): huawei
Service detected: HTTP
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 http/1.1 (offered)
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK)
Triple DES Ciphers / IDEA not offered
Obsolete CBC ciphers (AES, ARIA etc.) offered
Strong encryption (AEAD ciphers) offered (OK)
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-CAMELLIA256-SHA384 ECDHE-ARIA256-GCM-SHA384
TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA
ECDHE-RSA-CAMELLIA128-SHA256 ECDHE-ARIA128-GCM-SHA256
Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448
Finite field group: ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192
Testing server preferences
Has server cipher order? yes (OK) -- TLS 1.3 and below
Negotiated protocol TLSv1.3
Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
Cipher order
TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ARIA256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ARIA128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-CAMELLIA256-SHA384 ECDHE-RSA-AES128-SHA256
ECDHE-RSA-CAMELLIA128-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES256-CCM8 AES256-CCM
ARIA256-GCM-SHA384 AES128-GCM-SHA256 AES128-CCM8 AES128-CCM ARIA128-GCM-SHA256 AES256-SHA256 CAMELLIA256-SHA256
AES128-SHA256 CAMELLIA128-SHA256 AES256-SHA CAMELLIA256-SHA AES128-SHA CAMELLIA128-SHA
TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
Testing server defaults (Server Hello)
TLS extensions (standard) "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35"
"supported versions/#43" "key share/#51" "supported_groups/#10" "max fragment length/#1"
"application layer protocol negotiation/#16" "encrypt-then-mac/#22" "extended master secret/#23"
Session Ticket RFC 5077 hint 300 seconds, session tickets keys seems to be rotated < daily
SSL Session ID support yes
Session Resumption Tickets: yes, ID: yes
TLS clock skew Random values, no fingerprinting possible
Signature Algorithm SHA256 with RSA
Server key size RSA 2048 bits
Server key usage Digital Signature, Key Encipherment
Server extended key usage TLS Web Server Authentication
Serial / Fingerprints 3421D029AB3D13B67C4357E53F46B9F2 / SHA1 D6624629BA5BCD1E9BD241EFE6B0B068BC25071E
SHA256 CD2EB0818C841E27BDD91B4C4CAEA6754321F82A50E8F06B2ABCF60B90B588A4
Common Name (CN) (no CN field in subject)
subjectAltName (SAN) example.local *.example.local localhost 127.0.0.1 0:0:0:0:0:0:0:1
Issuer mkcert root@huawei (mkcert development CA)
Trust (hostname) Ok via SAN (same w/o SNI)
Chain of trust NOT ok (chain incomplete)
EV cert (experimental) no
ETS/"eTLS", visibility info not present
Certificate Validity (UTC) 821 >= 60 days (2023-04-11 09:50 --> 2025-07-11 09:50)
# of certificates provided 1
Certificate Revocation List --
OCSP URI --
NOT ok -- neither CRL nor OCSP URI provided
OCSP stapling not offered
OCSP must staple extension --
DNS CAA RR (experimental) not offered
Certificate Transparency --
Testing HTTP header response @ "/"
HTTP Status Code 200 OK
HTTP clock skew 0 sec from localtime
Strict Transport Security not offered
Public Key Pinning --
Server banner nginx/1.22.0 (Ubuntu)
Application banner --
Cookie(s) (none issued at "/")
Security headers --
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK)
ROBOT not vulnerable (OK)
Secure Renegotiation (RFC 5746) supported (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) potentially NOT ok, "gzip" HTTP compression detected. - only supplied "/" tested
Can be ignored for static pages or if no secrets in the page
POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=CD2EB0818C841E27BDD91B4C4CAEA6754321F82A50E8F06B2ABCF60B90B588A4 could help you to find out
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1
LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
...
...
The text was updated successfully, but these errors were encountered:
After several re-installations, I finally succeeded, although I'm not sure of the reason for this error. Although I did the installation without sudo, when I was generating the website certificate, I didn't have the permission to create a file in the current directory, so I elevated the permissions through sudo. After issuing the certificates in the /tmp folder, everything worked. But I'm not sure if this was the actual reason, although no other conditions were changed.
I had a similar issue, SEC_ERROR_UNKNOWN_ISSUER from the following (non-sudo) commands:
mkcert -install
mkcert localhost
I was using mkcert v1.4.3, but upgrading to the latest v1.4.4-1-g1c1dc4e (I built from source) fixed the issue. Probably because I am using the Firefox snap, which support was added for in v1.4.4
Environment
mkcert -version
): v1.4.4What you did
I installed it and it seems to be fine, it put the certificate in dirs:
mkcert -CAROOT
/home/maxim/.local/share/mkcert
The check to see if the certificate is added to the root passed successfully:
openssl verify -verbose -CAfile /etc/ssl/certs/ca-certificates.crt /home/maxim/.local/share/mkcert/rootCA.pem /home/maxim/.local/share/mkcert/rootCA.pem: OK
It also appeared in the root certificates of Firefox.
I generated certs for my local sites, assigned them to www-data user, and added links to the nginx config.
What went wrong
Firefox sees the certificate, but there is an error:
SEC_ERROR_UNKNOWN_ISSUER
In curl too:
SSL certificate problem: unable to get local issuer certificate
curl log
testssl output:
(NOT ok chain incomplete error)
The text was updated successfully, but these errors were encountered: