-
-
Save tadast/9932075 to your computer and use it in GitHub Desktop.
# 1) Create your private key (any password will do, we remove it below) | |
$ cd ~/.ssh | |
$ openssl genrsa -des3 -out server.orig.key 2048 | |
# 2) Remove the password | |
$ openssl rsa -in server.orig.key -out server.key | |
# 3) Generate the csr (Certificate signing request) (Details are important!) | |
$ openssl req -new -key server.key -out server.csr | |
# IMPORTANT | |
# MUST have localhost.ssl as the common name to keep browsers happy | |
# (has to do with non internal domain names ... which sadly can be | |
# avoided with a domain name with a "." in the middle of it somewhere) | |
Country Name (2 letter code) [AU]: | |
... | |
Common Name: localhost.ssl | |
... | |
# 4) Generate self signed ssl certificate | |
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt | |
# 5) Finally Add localhost.ssl to your hosts file | |
$ echo "127.0.0.1 localhost.ssl" | sudo tee -a /private/etc/hosts | |
# 6) Boot puma | |
$ puma -b 'ssl://127.0.0.1:3000?key=/Users/tadas/.ssh/server.key&cert=/Users/tadas/.ssh/server.crt' | |
# 7) Add server.crt as trusted !!SYSTEM!! (not login) cert in the mac osx keychain | |
# Open keychain tool, drag .crt file to system, and trust everything. | |
# Notes: | |
# 1) Https traffic and http traffic can't be served from the same process. If you want | |
# both you need to start two instances on different ports. | |
# | |
# |
I'm seeing this error on modern versions of Chrome.
2020-06-26 09:23:21 -0500: SSL error, peer: 127.0.0.1, peer cert: , #<Puma::MiniSSL::SSLError: OpenSSL error: error:141F7065:SSL routines:final_key_share:no suitable key share - 337604709>
According to google, this indicates that the cert generated in this guide is insecure and not supported in SSL 1.3
OpenSSL is fundamentally insecure. I'd recommend checking out my gist above which is based on OpenBSD's OpenSSL rewrite LibreSSL:
OpenBSD's acme-client is also the most secure cert generator around. Check it out!
Can such cert be generated on a mac, @anon987654321? I'd love to get away from openssl, but it seems like it's the only TLS group that figured out how to do distribution of their software (which is clearly a bit less than ideal given their quality track record).
thank you, it work for me
Thank you for this great thread!
This is my adaptation: https://gist.github.com/etozzato/0ba2140ea3c6125d4839373309fe733a
- Allows for a domain and wildcard subdomain;
- Cleans up after itself in case of error;
- Will still boot puma (no SSL) in case of error;
@TheNotary thanks for getting back at me. You'd probably have to spawn a new server using OpenBSD, check out:
https://github.com/basicfeatures/openbsd-rails
Does SSL/TLS termination before Puma as Puma isn't really suited for this. Check out https://github.com/ErwinM/acts_as_tenant for multiple domains/subdomains, or message me.
@etozzato I might be wrong, but your gist looks over-engineered.
@etozzato I might be wrong, but your gist looks over-engineered.
yes, it's plausible! 👍
You can generate a trusted localhost cert by using letsencrypt and creating a certificate like localhost.domain.com
(or *.localhost.domain.com
for wildcards), verify that with a dns challenge, which usually involves creating an _acme_challenge
TXT record. Then, once you have passed the challenges and have the cert, point localhost.domain.com to 127.0.0.1
If you have a multi-tenant app, you can create a wildcard cert also, but you'll have to go through the extra step of manually adding subdomains to localhost.domain.com
to/etc/hosts
and your config/enviroments/development.rb
(assuming this is a rails app)
In order to run with Rails (version 7),
bin/rails s -u puma -b 'ssl://127.0.0.1:3000?key=server.key&cert=server.crt&verify_mode=peer&ca=server.crt'
There is a fantastic tool called mkcert which eliminates most of the pain of generating self signed certs and installing them as trusted certs on your machine - https://github.com/FiloSottile/mkcert. Way easier than trying wrangle OpenSSL commands and APIs.
I would like to recommend this approach as well.
I am no SSL guru, so I had a long battle trying to get local SSL to work a my new computer (it works fine on my older one). At some point I even had subjectively non-deterministic results where my SSL would work for a minute or two and then stop working with no apparent change in anything.
Using the mkcert on my macOS computer via homebrew solved the problem very quickly and easily.
For what it's worth, here's a simpler and more secure alternative to Linux for hosting your static sites and Rails apps on the same server: https://gist.github.com/anon987654321/4532cf8d6c59c1f43ec8973faa031103