Answers to commonly asked questions and known issues

Enable Google Chrome to accept self-signed Verrazzano certificates

There are some installation scenarios where Verrazzano generates SSL certificates that are not trusted by browsers:

  • The development (dev) profile installation, which uses its own self-signed CA to issue certificates.
  • Using the Let’s Encrypt Staging authority, which uses untrusted CAs to sign certificates.

These are typical development or testing scenarios, not recommended for production. When accessing Verrazzano sites using these certificates, some browsers like Firefox let you manually accept these certificates. However, Google Chrome now prevents users from being able to accept self-signed certificates by default. This will prevent you from accessing Verrazzano consoles that are using untrusted certificates.

When this occurs, while trying to access Verrazzano services, you will see an error message like the following:

elasticsearch.vmi.system.default. normally uses encryption to protect your information. When Chrome tried to connect to elasticsearch.vmi.system.default. this time, the website sent back unusual and incorrect credentials

You can choose to import the certificate into your local trust chain, but this will have to be done for each Verrazzano instance. From a security perspective, this is not recommended.

As an alternative, you can enter a secret passphrase in Chrome to enable it to prompt you to accept these certificates, by doing the following:

  • When you see an error such as the one shown previously, when the browser window has the keyboard focus, enter the phrase thisisunsafe.
  • Reload the site.
  • Chrome will prompt you to accept the certificate.

Note: This should be used only when accessing sites that are known to be safe, such as in this situation.