-
-
Save tadast/9932075 to your computer and use it in GitHub Desktop.
# 1) Create your private key (any password will do, we remove it below) | |
$ cd ~/.ssh | |
$ openssl genrsa -des3 -out server.orig.key 2048 | |
# 2) Remove the password | |
$ openssl rsa -in server.orig.key -out server.key | |
# 3) Generate the csr (Certificate signing request) (Details are important!) | |
$ openssl req -new -key server.key -out server.csr | |
# IMPORTANT | |
# MUST have localhost.ssl as the common name to keep browsers happy | |
# (has to do with non internal domain names ... which sadly can be | |
# avoided with a domain name with a "." in the middle of it somewhere) | |
Country Name (2 letter code) [AU]: | |
... | |
Common Name: localhost.ssl | |
... | |
# 4) Generate self signed ssl certificate | |
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt | |
# 5) Finally Add localhost.ssl to your hosts file | |
$ echo "127.0.0.1 localhost.ssl" | sudo tee -a /private/etc/hosts | |
# 6) Boot puma | |
$ puma -b 'ssl://127.0.0.1:3000?key=/Users/tadas/.ssh/server.key&cert=/Users/tadas/.ssh/server.crt' | |
# 7) Add server.crt as trusted !!SYSTEM!! (not login) cert in the mac osx keychain | |
# Open keychain tool, drag .crt file to system, and trust everything. | |
# Notes: | |
# 1) Https traffic and http traffic can't be served from the same process. If you want | |
# both you need to start two instances on different ports. | |
# | |
# |
@etozzato I might be wrong, but your gist looks over-engineered.
yes, it's plausible! 👍
You can generate a trusted localhost cert by using letsencrypt and creating a certificate like localhost.domain.com
(or *.localhost.domain.com
for wildcards), verify that with a dns challenge, which usually involves creating an _acme_challenge
TXT record. Then, once you have passed the challenges and have the cert, point localhost.domain.com to 127.0.0.1
If you have a multi-tenant app, you can create a wildcard cert also, but you'll have to go through the extra step of manually adding subdomains to localhost.domain.com
to/etc/hosts
and your config/enviroments/development.rb
(assuming this is a rails app)
In order to run with Rails (version 7),
bin/rails s -u puma -b 'ssl://127.0.0.1:3000?key=server.key&cert=server.crt&verify_mode=peer&ca=server.crt'
There is a fantastic tool called mkcert which eliminates most of the pain of generating self signed certs and installing them as trusted certs on your machine - https://github.com/FiloSottile/mkcert. Way easier than trying wrangle OpenSSL commands and APIs.
I would like to recommend this approach as well.
I am no SSL guru, so I had a long battle trying to get local SSL to work a my new computer (it works fine on my older one). At some point I even had subjectively non-deterministic results where my SSL would work for a minute or two and then stop working with no apparent change in anything.
Using the mkcert on my macOS computer via homebrew solved the problem very quickly and easily.
@TheNotary thanks for getting back at me. You'd probably have to spawn a new server using OpenBSD, check out:
https://github.com/basicfeatures/openbsd-rails
Does SSL/TLS termination before Puma as Puma isn't really suited for this. Check out https://github.com/ErwinM/acts_as_tenant for multiple domains/subdomains, or message me.
@etozzato I might be wrong, but your gist looks over-engineered.