Moved issue monorail:2657 to now be  issue chromium:722144 .

Perhaps the self-signed certificate is missing a subject alternative name (SAN), which Chrome 58 started requiring. This article appears to show how to generate a new self-signed certificate that will comply with the new requirement: https://alexanderzeitler.com/articles/Fixing-Chrome-missing_subjectAltName-selfsigned-cert-openssl/ 

I recreated my certs with Subject Alternative Name (SAN) are localhost and 127.0.0.1 but not luck

My work-around is enable this flag chrome://flags/#allow-insecure-localhost

Please provide a network log as described in https://dev.chromium.org/for-testers/providing-network-details

Hi Ricea,

I attached the net work log, please help.

Deleted: chrome-net-export-log.json 1.1 MB

chrome-net-export-log.json 1.1 MB View Download

Thank you for providing more feedback. Adding requester "ricea@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

#6 thank you for the net log. It is showing the connection to localhost:30714 is failing with an ERR_CERT_COMMON_NAME_INVALID error. The CERT_VERIFIER_JOB displays the following output:

               --> cert_status = 1 (COMMON_NAME_INVALID)
               --> common_name_fallback_used = false
               --> has_md2 = false
               --> has_md4 = false
               --> has_md5 = false
               --> is_issued_by_additional_trust_anchor = false
               --> is_issued_by_known_root = false
               --> public_key_hashes = ["sha1/EHl4SbVI3iZcoCjhkeT0RW4LyGA=","sha256/LqlLrIu+FnX93g0PDsgpAW2z18KccI88q5ql7/Ju+H4=","sha1/ujd2NgYbIO7dSwKLmq/RFtH44mc=","sha256/O8iMnnP1aMkeUvyY+MpAgfqH6hKneEvaXd99cpsdDCc="]

I decoded your public certificate from the net log and it looks like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16515953440559328751 (0xe53474261f6dedef)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Georgia, L=Atlanta, O=QASymphony, O=QASymphony, OU=qTest Explorer, CN=qTest Explorer personal root certificate
        Validity
            Not Before: May 15 07:19:34 2017 GMT
            Not After : May 30 07:19:34 2037 GMT
        Subject: C=US, ST=Georgia, L=Atlanta, O=QASymphony, O=QASymphony, OU=qTest Explorer, CN=qTest Explorer personal root certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:e6:d3:f2:8e:40:30:c0:3c:21:2a:f9:42:7d:0a:
                    e4:64:69:dd:a1:3e:1e:4a:e4:f1:f6:19:6c:7f:a2:
                    d5:19:33:e5:34:c2:c1:18:2f:ca:2d:b1:98:4d:1e:
                    51:ac:e2:1a:c1:30:49:a1:81:b6:f2:e4:d4:f9:a5:
                    e9:f7:52:30:ed:c7:f8:a4:ea:eb:6e:00:1b:1a:0a:
                    9f:a6:c4:22:3a:f9:61:3d:a3:85:15:fa:30:8d:00:
                    8a:e2:25:9d:e9:fa:92:c7:56:9e:d8:15:7b:c7:c4:
                    c0:cb:40:20:cc:d3:cc:b8:d2:9d:1e:81:39:6e:52:
                    77:7e:a6:79:3c:d7:a9:d4:01
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                A3:4A:FD:6C:D5:26:80:3D:D4:41:43:7C:3E:DC:73:CB:F3:65:F4:D9
            X509v3 Authority Key Identifier: 
                keyid:A3:4A:FD:6C:D5:26:80:3D:D4:41:43:7C:3E:DC:73:CB:F3:65:F4:D9
                DirName:/C=US/ST=Georgia/L=Atlanta/O=QASymphony/O=QASymphony/OU=qTest Explorer/CN=qTest Explorer personal root certificate
                serial:E5:34:74:26:1F:6D:ED:EF

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:127.0.0.1
    Signature Algorithm: sha1WithRSAEncryption
         d4:c8:48:ae:d1:ed:19:bd:d9:9b:0e:68:dc:cc:9c:c3:ef:e1:
         4f:d4:89:76:df:81:fc:ba:24:d6:6b:30:ad:20:44:3a:cc:e0:
         75:dd:0f:a5:f7:0b:68:92:b8:97:8c:ec:3e:81:1e:d0:03:36:
         58:c3:af:62:20:39:17:44:e5:d9:da:66:ae:3e:06:3d:82:ba:
         09:50:12:a9:04:60:fa:14:65:5e:30:5c:55:a6:70:9a:8f:63:
         34:94:77:6b:2d:64:2a:be:03:86:39:12:14:6b:1f:dd:dc:79:
         7f:89:d1:b4:6e:c6:e3:cb:ad:cd:44:21:74:40:76:1f:64:ea:
         ce:ca

One thing I noticed is that the common name "CN=qTest Explorer personal root certificate" isn't a valid hostname and does not match the Subject Alternative Name. I don't know whether that is causing a problem.

Also, if included in the certificate, 127.0.0.1 needs to be specified as an IP address rather than a DNS address. I don't know whether this is sufficient for Chrome to reject the connection.

What happens if you visit https://localhost:30714/ directly in the Web browser? If you get an SSL error then the issue is not WebSocket-specific. However, if you see "Illegal Request", "File Not Found" or some other kind of error that comes from the remote server, then it is a WebSocket-specific issue.

I re-create CA with common name is localhost, and also re-signed my cert with new CA, but it is still not work

Attached is new net log, please help.

Thank you for your help.

Deleted: new_chrome-net-export-log.json 1.2 MB

new_chrome-net-export-log.json 1.2 MB View Download

Thank you for providing more feedback. Adding requester "ricea@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I re-create CA with common name is localhost, and also re-signed my
cert with new CA, but it is still not work

Attached is new net log, please help.

Thank you for your help.

I think I have found the answer. Chrome really hates seeing DNS:127.0.0.1 in the Subject Alternative Name section. See https://superuser.com/questions/1202498/create-self-signed-certificate-with-subjectaltname-to-fix-missing-subjectaltnam/1202506#1202506

Please test your certificate by visiting https://localhost:30714/ before trying a WebSocket connection. If there is something wrong with the certificate you will actually be able to see the diagnostics by visiting with https.

@ricea@chromium.org I think you right, when I accessed
https://localhost:30714, Chrome showed SSL error, I forced to accept my
self sighed certificate, it worked. My question is: Is there any way to
make a self signed certificate that is accepted by Chrome 58+.

It's possible to get WebSocket connections to servers that require clicking through a certificate error by "preflighting", that is, first establishing an https connection to the same host and port so that the user can click through the error, and only then performing the actual WebSocket connection. All the WebSocket servers I have tried can also serve content over HTTP on the same host and port. The simplest solution is just to put the html for the page that performs the connection on the same server.

I'm redirecting this to Internals>Network>Certificate for the definitive answer on how to get Chrome to make a TLS connection to localhost without errors.

Looking at the netlog from comment #10, the subjectAltName is on the CA certificate, and the end-entity certificate does not have a subjectAltName. That's backwards. Try putting the subjectAltName on the end-entity certificate.

[tathanhphu]:  Per comment #16, issue looks to be on your end.  I'm closing this bug, but if the problem persists, please say so and I'll re-open it.