Getting round XAMPP SSL cert annoyances

I set up multiple vhosts so I could develop a system with:

• A WordPress website on domain https://www.mydomain.lh, which contains
• A Vue.js app I built, which talks to
• A Laravel/Lumen API I built, on domain https://api.mydomain.lh

In my vhosts settings, both domains were using the built-in XAMPP SSL certificate on port 443 for HTTPS.

It took a couple of hours to get the setup working initially, but I swear blind that it worked OK for a week.

Then, today – the day I 100% need to fix the most difficult system design issue arising from client feedback – Chrome started giving me ERR_CERT_AUTHORITY_INVALID errors in my console when the Vue.js app was trying to make XHR requests for data from my API.

I didn’t punch a hole in the wall. Neither did I run up and down the street screaming.I didn’t hurl my Macbook at the wall opposite, shattering the laptop into mangled chunks and knocking divots out of the plaster.

I didn’t punch myself in the legs repeatedly, or screw my fingers into painfully tight fists in my hair until hairs started popping out of my scalp. I didn’t scratch the skin of my arms or my shins.

Because through sheer random chance, I found a StackOverflow post with a hacky fix for the problem:

1. Note the failing URL from your Chrome developer console – EG https://api.mydomain.lh/api/v1/metadata
2. Copy-paste the URL into the address bar of a new tab in Chrome
3. The request will fail – you’ll see an error page telling you that SSL isn’t working for the requested URL.
4. Click anywhere in the body of the error page
5. Now… I kid you not… just type the text thisisunsafe on your keyboard. You won’t see anything, there’s no visual acknowledgement that you’re even typing anything… but Chrome will then allow XHR requests (by my Vue.js app, in my case) to the requested domain even though its SSL certificate doesn’t stack up.

Part of me would love to know how the world is meant to fucking work when your ability to do your job is turned off suddenly by some undetectable change in how a web browser decides to treat locally hosted SSL certficates, and the solution is an easter-egg-style cheatcode for your fucking browser that you only find out about through the sheer fucking luck of stumbling on the right comment in the right StackOverflow post. Like, if the person who posted that comment couldn’t be bothered on the day they were bothered, would I be insolubly fucked today?

Anyway, the internet being an intolerable cess-swill of fascism aside, it’s a handy fix, so I thought I might try to half-fix it in my memory by blogging it.