gatsby: SSL errors when using `gatsby develop --https`

Description

When running gatsby develop --https both with without --cert-file/--key-file SSL does not work in Firefox, Chrome or Safari (screenshots below).

Steps to reproduce

  1. I’ve created a minimal reproduction in https://github.com/patrickarlt/gatsby-ssl-issue-reproduction. This is based off the default starter with the latest version of Gatsby.
  2. npm install
  3. npm run start:devcert this starts the local dev server and automatically creates SSL certs.
  4. Observe failures.
  5. Install mkcert, for Mac this means:
    • brew install mkcert
    • brew install nss
    • mkcert install
    • mkcert localhost
  6. npm run start:local-certs this starts the dev server with the local certs from mkcert
  7. Observe failures.

In order to check that the certs are valid you can use http-server:

  • npm i -g http-server
  • http-server . -C localhost.pem -K localhost-key.pem -S -a localhost

This displays the directory structure of our project tin the browser over https://... note the lock icon in Chrome:

2020-05-20_12-26-26 (1)

Expected result

The server should successfully serve pages over https://....

Actual result

Browsers produce SSL errors.

2020-05-20_12-18-35 2020-05-20_12-19-02 2020-05-20_12-19-20

Environment

Gatsby

  System:
    OS: macOS Mojave 10.14.6
    CPU: (8) x64 Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
    Shell: 5.3 - /bin/zsh
  Binaries:
    Node: 14.3.0 - ~/.nvm/versions/node/v14.3.0/bin/node
    npm: 6.14.5 - ~/.nvm/versions/node/v14.3.0/bin/npm
  Languages:
    Python: 2.7.10 - /usr/bin/python
  Browsers:
    Chrome: 81.0.4044.138
    Firefox: 77.0
    Safari: 13.1
  npmPackages:
    gatsby: ^2.22.3 => 2.22.3

OpenSSL

$ openssl version
LibreSSL 2.6.5

mkcert

$ brew info mkcert 
mkcert: stable 1.4.1 (bottled)
Simple tool to make locally trusted development certificates
https://github.com/FiloSottile/mkcert
/usr/local/Cellar/mkcert/1.4.1 (6 files, 5.3MB) *
  Poured from bottle on 2020-04-08 at 18:45:14
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/mkcert.rb
==> Dependencies
Build: go ✘
==> Analytics
install: 3,827 (30 days), 11,641 (90 days), 47,679 (365 days)
install-on-request: 3,351 (30 days), 10,186 (90 days), 40,390 (365 days)
build-error: 0 (30 days)

nss

$ brew info nss
nss: stable 3.52 (bottled)
Libraries for security-enabled client and server applications
https://developer.mozilla.org/docs/NSS
/usr/local/Cellar/nss/3.52 (225 files, 34.1MB) *
  Poured from bottle on 2020-05-19 at 16:52:58
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/nss.rb
==> Dependencies
Required: nspr ✔
==> Analytics
install: 38,963 (30 days), 105,774 (90 days), 394,028 (365 days)
install-on-request: 8,110 (30 days), 19,022 (90 days), 62,334 (365 days)
build-error: 0 (30 days)

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 8
  • Comments: 35 (10 by maintainers)

Most upvoted comments

Still facing the same problem in 2022 with gatsby 4.13.0

Was trying to access my app in dev mode via HTTPS on my real domain, but receive SSL errors no matter what certs I use.

I need real domain for cookie authorization on back-end (Laravel Sanctum).

+7
mSnus on Jun 6, 2022

@pieh thank you, issue is solved for us, both dev and prod and test working great, although there is one new issue #24758

+2
JustFly1984 on Jun 3, 2020

2.22.12 still failing

I understand your frustration, but please be patience. @mxstbr already created a PR #24335, just wait until gatsby core team review and merge the changes.

+2
hendra-go on May 29, 2020

Yes this is related to #22759, which introduced a proxy server to the develop process. I’m planning to take a look at this tomorrow (OoO today), however if anybody needs this urgently the fix might be to pass the SSL options to http-proxy OR using the https module to create the server (or both?) in gatsby/utils/develop-proxy.ts.

+2
mxstbr on May 21, 2020

Has this issue been resolved in Gatsby 2.29.x ? I am getting This site can’t provide a secure connection localhost sent an invalid response. ERR_SSL_PROTOCOL_ERROR Still when trying to use --https. I have a docker container running nginx for the front end as a reverse proxy to a node js server. I have nginx setup to listen to port 443 and am telling nginx and gatsby to use the ssl certificates. This issue is killing me. Anyone have any ideas?

+1
MitchMigala on Dec 18, 2020

@pieh @wardpeet still hangs in 2.23.10, reverted back to 2.23.4

+1
JustFly1984 on Jun 23, 2020

@muuvmuuv for me it works in combination for 2.23.4 and pinning devcert: “1.1.0” in package.json on mac:

"resolutions": {
    "devcert": "1.1.0"
  },

with 2.23.7 it doesn’t work anymore @pieh please reopen

+1
JustFly1984 on Jun 20, 2020

can somebody please explain the use cases for --host and --host=0.0.0.0 specifically?

If you don’t use --host we will “bind” web server to localhost hostname, using 0.0.0.0 allows us to “bind” to every possible ip:

In the context of servers, 0.0.0.0 can mean “all IPv4 addresses on the local machine”. If a host has two IP addresses, 192.168.1.1 and 10.1.2.1, and a server running on the host is configured to listen on 0.0.0.0, it will be reachable at both of those IP addresses.

In practice - this is a way to test sites on other devices in your network and not just and computer you develop on. I think most common case is to check your site on actual mobile device that is connecting to same network as your computer.

Other cases include running gatsby develop inside docker containers or vms in general where you want to make site available for preview on host machine etc.

+1
pieh on Jun 3, 2020

@rodrigo-arias Just published gatsby@2.22.20 with the --host fix - if you could try upgrade again and let us know I would really appreciate it

+1
pieh on Jun 3, 2020
Read more comments on GitHub
← gatsby: [source-contentful] handling undefined values
gatsby: StaticQuery fails if not inlined in built websites →