So at my new job I’ve been learning TAP(Tanzu Application Platform) and as apart of that I’ve had to setup a domain so I can build new apps and serve them from that domain, so obviously I just picked a domain from a list of domains that I own, and the domain I chose was alexanderbrash.dev; simple enough, but then I noticed that when I tried to access the TAP GUI in Chrome or Firefox I was getting redirected to the https version of the site and of course I hadn’t setup any certs or anything I was just messing around, even if I used an incognito window or tab, same thing, every time I would go to http://tap-gui.tap.alexanderbrash.dev it would forward me to https://tap-gui.tap.alexanderbrash.dev.
So I fired up dev tools and sure enough I could see a 301 being injected into my requests and forcing all traffic to https, well I simple fix was to just go ahead and get a cert for that domain, so I did I got a wildcard cert for *.tap.alexanderbrash.dev, but everytime I created a new sub-domain for testing off of alexanderbrash.dev it kept forcing me to https, so I would have to get a wildcard cert for all subs as well, well I’m sure as heck am not paying for that, the only alternative was to use Let’s Encrypt but really, so I did a little Googling around and found the issue, Google forces all .dev and .foo sites to https using HSTS here is the article that discusses the issue.
So again Google has decided to break the internet just because it can, the upside at least I found the problem by searching on Google…. they made the change as of Chrome 63 which was released in December 2017, this is now the second time Google has made a change that has caused me sleepless nights, a few years ago Google no longer accepted certs that had an empty SAN and would no longer read from the CN in a cert, well that morning I went to work and the tickets just flowed in as a ton of our certs at the time did not populate the SAN field and everyone using Chrome received a nasty “This site is not trusted…” It took me all day to learn to use Openssl with a CNF file to re-issue all those certs with the SAN field populated, and I had to rush and rebuild our PKI infrastructure. Gotta love IT.