Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
ssl with pow using stud

Instructions

  • Install stud $ brew install https://raw.github.com/paulnicholson/homebrew/master/Library/Formula/stud.rb
  • Download and install the powssl script $ curl https://gist.githubusercontent.com/paulnicholson/2050941/raw/7e4d2178e3733bed18fdfe737277c3cb72241d39/powssl > ~/bin/powssl $ chmod +x ~/bin/powssl
  • Run powssl to create development certificate and configure stud.
    • $ powssl
  • Launch your browser and hit one of your apps
    • $ open https://app.dev/
#!/bin/bash
STUD_DIR="$HOME/.stud"
CA_DIR="$STUD_DIR/ca"
if [ ! -d "$STUD_DIR" ]; then
# Make folder for stud config and keys
mkdir -p $CA_DIR/newcerts
stud --default-config \
| sed "s%frontend = .*%frontend = \"[*]:443\"%" \
| sed "s%backend = .*%backend = \"[127.0.0.1]:80\"%" \
| sed "s%user = .*%user = \"`id -un`\"%" \
| sed "s%group = .*%group = \"`id -gn`\"%" \
| sed "s%pem-file = .*%pem-file= \"$STUD_DIR/keypair.pem\"%" \
| sed "s%# ssl = .*%ssl= on%" \
> $STUD_DIR/config
echo "Setup openssl config"
config_start=$(grep --text --line-number '^OPENSSL_CONFIG:$' $0 | cut -d ':' -f 1)
tail -n +$((config_start + 1)) $0 | sed "s%\$CA_DIR%$CA_DIR%" > $CA_DIR/openssl.cnf
touch $CA_DIR/index.txt
echo "01" > $CA_DIR/serial
echo "Creating ssl keypair for signing *.dev certificate."
openssl req -newkey rsa:2048 -batch -x509 -nodes -subj "/C=US/O=Developer Certificate/CN=*.dev Domain CA" -keyout $CA_DIR/key.pem -out $CA_DIR/cert.pem -days 9999 &> /dev/null
echo "Adding certificate to login keychain as trusted."
security add-trusted-cert -d -r trustRoot -k $HOME/Library/Keychains/login.keychain $CA_DIR/cert.pem
echo "================================================================================"
echo -e "To use the certificate without a warning in Firefox you must add the\n\"$CA_DIR/cert.pem\" certificate to your Firefox root certificates."
echo "================================================================================"
fi
if [ -e "$HOME/.powconfig" ]; then
source "$HOME/.powconfig"
fi
IFS=","
for ext_domain in $POW_EXT_DOMAINS; do
if [[ $ext_domain == *.* ]]; then
domains=("${domains[@]}""DNS:$ext_domain,")
domains=("${domains[@]}""DNS:*.$ext_domain,")
else
echo "Not using POW_EXT_DOMAIN value '$ext_domain' because it appears to be a TLD."
fi
done
for domain in $HOME/.pow/*; do
domain="${domain##*/}"
for ext in ${POW_DOMAINS:-"dev"}; do
domains=("${domains[@]}""DNS:$domain.$ext,")
domains=("${domains[@]}""DNS:*.$domain.$ext,")
done
for ext_domain in $POW_EXT_DOMAINS; do
if [[ $ext_domain == *.* ]]; then
domains=("${domains[@]}""DNS:*.$domain.$ext_domain,")
fi
done
done
export SAN="${domains[@]%,}"
unset IFS
if [ "$(cat $STUD_DIR/domains)" != "$SAN" ]; then
config_start=$(grep --text --line-number '^OPENSSL_CONFIG:$' $0 | cut -d ':' -f 1)
tail -n +$((config_start + 1)) $0 | sed "s%\$CA_DIR%$CA_DIR%" > $CA_DIR/openssl.cnf
echo "Generating new dev certificate"
openssl req -newkey rsa:2048 -batch -nodes -subj "/C=US/O=Developer Certificate/CN=*.dev" -keyout $STUD_DIR/key.pem -out $STUD_DIR/csr.pem -days 9999 &> /dev/null
echo "Signing dev certificate"
openssl ca -config $CA_DIR/openssl.cnf -policy policy_anything -batch -days 9999 -out $STUD_DIR/cert.pem -infiles $STUD_DIR/csr.pem &> /dev/null
cat $STUD_DIR/key.pem $STUD_DIR/cert.pem > $STUD_DIR/keypair.pem
echo $SAN > $STUD_DIR/domains
fi
echo "Starting Stud (using sudo to open ports < 1024)"
exec sudo stud --config $STUD_DIR/config
exit 0
OPENSSL_CONFIG:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = $CA_DIR
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/key.pem
RANDFILE = $dir/.rand
default_days = 365 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha1 # which md to use.
x509_extensions = usr_cert
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = ${ENV::SAN}
@aiwilliams

This comment has been minimized.

Copy link

commented May 16, 2012

You'll want to create the ~/bin directory, or install to another location on your path.

@coneybeare

This comment has been minimized.

Copy link

commented May 24, 2012

any way to patch pow so manually running powssl isn't necessary?

@paulnicholson

This comment has been minimized.

Copy link
Owner Author

commented May 24, 2012

@coneybeare There might be but at the time I had the feeling (based on the responses at basecamp/pow#5) that the pow team has decided not to look into this further. Please feel free to try your hand at submitting a pull request to them.

@ghost

This comment has been minimized.

Copy link

commented Sep 14, 2012

echo -e "To use the certificate without a warning in Firefox you must add the\n"$CA_DIR/cert.pem" certificate to your Firefox root certificates."

really thats how you fix it? So far everything I've read indicates that I need to be serving the intermediate certificate.

@ghost

This comment has been minimized.

Copy link

commented Sep 14, 2012

turns out I needed in my .pem, mydomain certificate, the intermediate, the root, and lastly the private key

@rossjourdain

This comment has been minimized.

Copy link

commented Oct 30, 2013

@paulnicholson

This comment has been minimized.

Copy link
Owner Author

commented Jun 5, 2014

I have updated the script to use TLDs from POW_DOMAINS and domains from POW_EXT_DOMAINS.

@calebhaye

This comment has been minimized.

Copy link

commented Oct 14, 2015

@paulnicholson I'm seeing the following:

Error: MD5 support has been dropped for security reasons.
Please switch this formula to SHA256.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.