ssl with pow using stud

gistfile1.md

Instructions

• Install stud $ brew install https://raw.github.com/paulnicholson/homebrew/master/Library/Formula/stud.rb
• Download and install the powssl script $ curl https://gist.githubusercontent.com/paulnicholson/2050941/raw/7e4d2178e3733bed18fdfe737277c3cb72241d39/powssl > ~/bin/powssl $ chmod +x ~/bin/powssl
• Run powssl to create development certificate and configure stud.
  • $ powssl
• Launch your browser and hit one of your apps
  • $ open https://app.dev/

powssl

#!/bin/bash

STUD_DIR="$HOME/.stud"
CA_DIR="$STUD_DIR/ca"

if [ ! -d "$STUD_DIR" ]; then
  # Make folder for stud config and keys
  mkdir -p $CA_DIR/newcerts
  stud --default-config                                                \
  | sed "s%frontend = .*%frontend = \"[*]:443\"%"                      \
  | sed "s%backend = .*%backend = \"[127.0.0.1]:80\"%"                 \
  | sed "s%user = .*%user = \"`id -un`\"%"                             \
  | sed "s%group = .*%group = \"`id -gn`\"%"                           \
  | sed "s%pem-file = .*%pem-file= \"$STUD_DIR/keypair.pem\"%"         \
  | sed "s%# ssl = .*%ssl= on%"                                        \
  > $STUD_DIR/config

  echo "Setup openssl config"
  config_start=$(grep --text --line-number '^OPENSSL_CONFIG:$' $0 | cut -d ':' -f 1)
  tail -n +$((config_start + 1)) $0 | sed "s%\$CA_DIR%$CA_DIR%" > $CA_DIR/openssl.cnf
  touch $CA_DIR/index.txt
  echo "01" > $CA_DIR/serial

  echo "Creating ssl keypair for signing *.dev certificate."
  openssl req -newkey rsa:2048 -batch -x509 -nodes -subj "/C=US/O=Developer Certificate/CN=*.dev Domain CA" -keyout $CA_DIR/key.pem -out $CA_DIR/cert.pem -days 9999 &> /dev/null
  echo "Adding certificate to login keychain as trusted."
  security add-trusted-cert -d -r trustRoot -k $HOME/Library/Keychains/login.keychain $CA_DIR/cert.pem
  echo "================================================================================"
  echo -e "To use the certificate without a warning in Firefox you must add the\n\"$CA_DIR/cert.pem\" certificate to your Firefox root certificates."
  echo "================================================================================"
fi

if [ -e "$HOME/.powconfig" ]; then
  source "$HOME/.powconfig"
fi

IFS=","

for ext_domain in $POW_EXT_DOMAINS; do
  if [[ $ext_domain == *.* ]]; then
    domains=("${domains[@]}""DNS:$ext_domain,")
    domains=("${domains[@]}""DNS:*.$ext_domain,")
  else
    echo "Not using POW_EXT_DOMAIN value '$ext_domain' because it appears to be a TLD."
  fi
done

for domain in $HOME/.pow/*; do
  domain="${domain##*/}"
  for ext in ${POW_DOMAINS:-"dev"}; do
    domains=("${domains[@]}""DNS:$domain.$ext,")
    domains=("${domains[@]}""DNS:*.$domain.$ext,")
  done

  for ext_domain in $POW_EXT_DOMAINS; do
    if [[ $ext_domain == *.* ]]; then
      domains=("${domains[@]}""DNS:*.$domain.$ext_domain,")
    fi
  done
done

export SAN="${domains[@]%,}"
unset IFS

if [ "$(cat $STUD_DIR/domains)" != "$SAN" ]; then
  config_start=$(grep --text --line-number '^OPENSSL_CONFIG:$' $0 | cut -d ':' -f 1)
  tail -n +$((config_start + 1)) $0 | sed "s%\$CA_DIR%$CA_DIR%" > $CA_DIR/openssl.cnf

  echo "Generating new dev certificate"
  openssl req -newkey rsa:2048 -batch -nodes -subj "/C=US/O=Developer Certificate/CN=*.dev" -keyout $STUD_DIR/key.pem -out $STUD_DIR/csr.pem -days 9999 &> /dev/null
  echo "Signing dev certificate"
  openssl ca -config $CA_DIR/openssl.cnf -policy policy_anything -batch -days 9999 -out $STUD_DIR/cert.pem -infiles $STUD_DIR/csr.pem &> /dev/null
  cat $STUD_DIR/key.pem $STUD_DIR/cert.pem > $STUD_DIR/keypair.pem
  echo $SAN > $STUD_DIR/domains
fi

echo "Starting Stud (using sudo to open ports < 1024)"
exec sudo stud --config $STUD_DIR/config
exit 0

OPENSSL_CONFIG:
[ ca ]
default_ca      = CA_default

[ CA_default ]
dir              = $CA_DIR
certs            = $dir/certs
crl_dir          = $dir/crl
database         = $dir/index.txt
unique_subject  = no
new_certs_dir    = $dir/newcerts
certificate      = $dir/cert.pem
serial           = $dir/serial
crlnumber        = $dir/crlnumber
crl              = $dir/crl.pem
private_key      = $dir/key.pem
RANDFILE         = $dir/.rand
default_days     = 365     # how long to certify for
default_crl_days = 30      # how long before next CRL
default_md       = sha1      # which md to use.
x509_extensions  = usr_cert

[ policy_anything ]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

[ usr_cert ]
basicConstraints       = CA:FALSE
nsCertType             = server
nsComment              = "OpenSSL Generated Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName         = ${ENV::SAN}

You'll want to create the ~/bin directory, or install to another location on your path.

any way to patch pow so manually running powssl isn't necessary?

@coneybeare There might be but at the time I had the feeling (based on the responses at basecamp/pow#5) that the pow team has decided not to look into this further. Please feel free to try your hand at submitting a pull request to them.

echo -e "To use the certificate without a warning in Firefox you must add the\n"$CA_DIR/cert.pem" certificate to your Firefox root certificates."

really thats how you fix it? So far everything I've read indicates that I need to be serving the intermediate certificate.

turns out I needed in my .pem, mydomain certificate, the intermediate, the root, and lastly the private key

The link in step 2 needs to be:
https://gist.github.com/paulnicholson/2050941/raw/3ea59efe8c7e9013c265313045a9fdda5c653963/powssl

Thanks for a great script!

I have updated the script to use TLDs from POW_DOMAINS and domains from POW_EXT_DOMAINS.

@paulnicholson I'm seeing the following:

Error: MD5 support has been dropped for security reasons.
Please switch this formula to SHA256.