I’ve been having an odd issue for a couple of months. When accessing sites having a .dev domain (like most recently go.dev), I my browsers have given me warnings and as many had HSTS-headers, not allowed me to visit the site.
It seemed like a strange error, and I’ve tried to remember if I’ve set up some proxy or VPN connection, that could cause this issue. A few times I’ve asked others on the net if they had issues – which was not the case – and I’ve tried using a web proxy, and everything worked. Yet no matter which browser I used it didn’t work.
I did try to see if it might be a DNS issue (in the local /etc/hosts file) or anywhere else, but no luck.
Today the issue was finally solved. Examing the certificate by clicking the “Not secure” in the address bar, the certificate turned out to be a anything.dev certificate (as in “*.dev”), and that eventually provided the clue I needed.
Apparently at some point – long before the dot dev (.dev) domain existed as an actual valid domain namespace, I setup *.dev as a local development namespace – and created a self-signed certificate to allow HTTPS-based development environment for my local domains.
I had long since removed the /etc/hosts entry which sent all *.dev names to localhost but wasn’t aware for the self-signed certificate and it lingered on for years. As most modern sites now use HSTS headers, this caused an issue and I was finally able to identify the issue, launch “keychain access” on my iMac and delete the self-signed certificate which was used for all *.dev sites.