2
7
Fork
You've already forked auto-encrypt-localhost
3

Local CA cert isn't installed correctly on Ubuntu #24

Open
opened 2025年10月16日 06:52:12 +02:00 by wunter8 · 0 comments

I have been trying to use Kitten. The cert has been showing up as an untrusted self-signed cert. I saw that it was put in the correct directory (/usr/local/share/ca-certificates/) for my OS (Ubuntu), but running sudo update-ca-certificates would just show

Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.

After some research, I found that the CA certificate needs to be in PEM format (which it is), but it also needs to have a .crt file extension (as described here: https://documentation.ubuntu.com/server/how-to/security/install-a-root-ca-certificate-in-the-trust-store/#:~:text=It%20is%20important%20that%20the%20certificate%20file%20has%20the%20.crt%20extension%2C%20otherwise%20it%20will%20not%20be%20processed.)

Once I renamed the auto-encrypt-localhost-CA-[id].pem file to auto-encrypt-localhost-CA-[id].crt, sudo update-ca-certificates grabbed the file and added it to the trust store.

mkcert puts the .crt extension on the file here: github.com/FiloSottile/mkcert@2a46726ceb/truststore_linux.go (L40)

The code will need to be updated somewhere around here:

case fs.existsSync('/usr/local/share/ca-certificates/'):
systemTrustCertificateDirectory = '/usr/local/share/ca-certificates/'
systemTrustStoreUpdateCommand = 'update-ca-certificates'
I have been trying to use Kitten. The cert has been showing up as an untrusted self-signed cert. I saw that it was put in the correct directory (`/usr/local/share/ca-certificates/`) for my OS (Ubuntu), but running `sudo update-ca-certificates` would just show ``` Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. ``` After some research, I found that the CA certificate needs to be in PEM format (which it is), but it also needs to have a `.crt` file extension (as described here: https://documentation.ubuntu.com/server/how-to/security/install-a-root-ca-certificate-in-the-trust-store/#:~:text=It%20is%20important%20that%20the%20certificate%20file%20has%20the%20.crt%20extension%2C%20otherwise%20it%20will%20not%20be%20processed.) Once I renamed the `auto-encrypt-localhost-CA-[id].pem` file to `auto-encrypt-localhost-CA-[id].crt`, `sudo update-ca-certificates` grabbed the file and added it to the trust store. mkcert puts the `.crt` extension on the file here: https://github.com/FiloSottile/mkcert/blob/2a46726cebac0ff4e1f133d90b4e4c42f1edf44a/truststore_linux.go#L40 The code will need to be updated somewhere around here: https://codeberg.org/small-tech/auto-encrypt-localhost/src/commit/da1c4d5e8c1eae59b738fd4363ab5ec5fc979b2b/lib/CertificateAuthority.js#L89-L91
Sign in to join this conversation.
No Branch/Tag specified
main
events
cli
pure-javascript
certutil-refactor
10.0.0
9.0.0
8.4.1
8.4.0
8.3.2
8.3.1
7.1.0
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.1.0
6.0.0
5.3.0
5.2.2
5.2.1
5.2.0
5.1.2
5.1.1
3.1.4
3.1.1
1.0.3
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
small-tech/auto-encrypt-localhost#24
Reference in a new issue
small-tech/auto-encrypt-localhost
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?