Catalina Beta 4 Certificate Issues

Upgraded to Beta 4 today. I can no longer access some sites in my lab. I am getting an SSL revocation error:


You cannot visit my.site.com right now because its certificate has been revoked. Network errors and attacks are usually temporary, so this page will probably work later.


This is in Chrome or Safari. The certificates are self signed, they are not expired or revoked, its all ESX infrastructure I am trying to access. The date/time on my machine is correct, and if I try to access these sites from other machines on my network with various OS, they work and load fine, just not from my Macbook Pro running Catalina Beta 4. Realize it just came out today but curious if anyone has seen this or know a work around.

Replies

I just tried to access one of my self signed sites and not having any issues. Chrome or Firefox.


Safari prompts me to enter in Password to trust certificate but just keeps looping.

Yea, let me correct that, Safari lets me trust it with password, then loops. Chrome doesn't work, have not tried FireFox. I upgraded from Mojave latest beta which came out today also, to Catalina B4. Going to try a clean install on a new volume just to see if it follows.

I submitted feedback for the Safari loop. Not sure why Chrome wouldn't work. Is it up to date?

Chrome is up to date. I tried a fresh clean install of 10.15 Beta 4 on a new volume and still have the same issues. On the new install, I created a new account, not using my Apple ID as I was thinking it may be some cert or something with Keychain, but on a fresh install, with either no Apple ID or existing apple ID, Chrome see's the sel signed certs as expired when they are not. What is weird, is that on the clean install, Chrome showed as from unknown developer, so I had to disable Gatekeeper from terminal to even install it.


Safari still loops on clean install.


I don't ever use it, but just to see what would happen I installed FireFox on the clean install, it works fine.

I am still having the same issue, only browser that seems to work for self signed certs for me is Firefox. I tried Chrome stable, Chrome Beta, and Brave, they all say the self signed certs are revoked, but only on Catalina B4. I have a friend who is having the same issues, except they work for him in Brave.

I am seeing the same issue with self signed certs. Curious if you have heard anything.

I have not gotten past this. On Beta 5 today, still have the same issue, although my self signed sites do work in Safari. AT first I thought it might be related to this:


https://support.apple.com/en-us/HT210176


All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:

  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

  • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
  • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.


But the fact that they do work in Safari leads me to reason it is something else, possibly the length of the cert validity but that still makes no sense reading that Apple support. My self signed certs, are SHA-256, but they were created after 7/1/2019, and they have a validity of more than 825 days, 10yrs actually. For reference, the ones I am having issue with are Vmware Virtual Center self signed certs. If I go to a different Virtual Center with self signed certs issues before 7/1, it works in Chrome fine on Beta 5, but the validity dates are also longer than 825 days on those as well so that kind of makes me think it has something to do with the actual issue date but I don't know.

This post is a bit old now but since MacOS 10.15 is rolling out as GA now, I figured I'd reply here in case anyone else runs into this problem.


In addition to the deprecation of SHA-1, a less obvious requirement in the Apple support doc (https://support.apple.com/en-us/HT210176) is "TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID."


If you are generating self-signed certs which do not include that extension, Chrome will report "NET::ERR_CERT_INVALID" instead of "NET::ERR_CERT_AUTHORITY_INVALID". You can clickthrough to ignore the latter, but not the former.


With a recent openssl (e.g. 1.1.1) you can generate a working self-signed cert with:


openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem \

-addext extendedKeyUsage=serverAuth -addext subjectAltName=DNS:localhost


Of course replace "localhost" with whatever SAN(s) (hostnames) you want in the certificate. As of right now it looks like you can skip the "subjectAltName" extension, but "extendedKeyUsage=serverAuth" is definitely required.


The "-addext" flag is not available on the MacOS version of OpenSSL, but you can get a newer version with homebrew if you want to test locally on your mac before messing with your ESX infra.

I had the same issue (Safari keeps asking to allow access), and I found a solution:

There already was a certificate for the problematic host in my keychain - after I deleted that, Safari could open the page.

Calendar and Addressbook can connect as well (I'm running nextcloud, and Calendar.app refused connection without telling anything about the reason).

I'm using the Release Version of Catalina, though... it's a pity how bad some things have become :-(