Rails 3.2.7 SSL Localhost (no red warnings, no apache config)

gistfile1.sh

# SSL self signed localhost for rails start to finish, no red warnings. 

# 1) Create your private key (any password will do, we remove it below)

$ openssl genrsa -des3 -out server.orig.key 2048


# 2) Remove the password

$ openssl rsa -in server.orig.key -out server.key


# 3) Generate the csr (Certificate signing request) (Details are important!)

$ openssl req -new -key server.key -out server.csr

# IMPORTANT
# MUST have localhost.ssl as the common name to keep browsers happy 
# (has to do with non internal domain names ... which sadly can be
# avoided with a domain name with a "." in the middle of it somewhere)

Country Name (2 letter code) [AU]:
...
Common Name: localhost.ssl 
...


# 4) Generate self signed ssl certificate 

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

# 5) Finally Add localhost.ssl to your hosts file

$ echo "127.0.0.1 localhost.ssl" | sudo tee -a /private/etc/hosts

# 6) Boot thin

$ thin start --ssl --ssl-verify --ssl-key-file server.key --ssl-cert-file server.crt

# 7) Add server.crt as trusted !!SYSTEM!! (not login) cert in the mac osx keychain
# Open keychain tool, drag .crt file to system, and trust everything.

# Notes:
# 1) Https traffic and http traffic can't be served from the same thin process. If you want 
#    both you need to start two instances on different ports.
#
#

Step one, create a DES3 encrypted key with a password.
Step two, remove the DES3 encryption from the key
Step three, create a Signing request to no one.
Step four, sign that thing!

All of that can be summarized into one step:
Create a self-signed certificate:

  openssl req -new -newkey rsa:2048 -sha1 -days 365 -nodes -x509 -keyout server.key -out server.crt

req(1ssl) answers what the line does, but I'll put it here for completness:

req Create a new Request.
-x509 The result of this will be an X.509 certificate, not a Certificate Signing request.
-sha1 Make sure to use SHA1 as this certificate's hashing algorithm. (newer versions of OpenSSL should default to this)
-newkey create a new key.
rsa:2048 the key will be of type RSA, and will be 2048 bits long
-nodes Don't encrypt the key

Step one, create a DES3 encrypted key with a password.
Step two, remove the DES3 encryption from the key
Step three, create a Signing request to no one.
Step four, sign that thing!

All of that can be summarized into one step:
Create a self-signed certificate:

  openssl req -new -newkey rsa:2048 -sha1 -days 365 -nodes -x509 -keyout server.key -out server.crt

req(1ssl) answers what the line does, but I'll put it here for completness:

req Create a new Request.
-x509 The result of this will be an X.509 certificate, not a Certificate Signing request.
-sha1 Make sure to use SHA1 as this certificate's hashing algorithm. (newer versions of OpenSSL should default to this)
-newkey create a new key.
rsa:2048 the key will be of type RSA, and will be 2048 bits long
-nodes Don't encrypt the key

The other problem with this is that it will not teach you how TLS works, or rather, how it should work, and what you as application programmer need to do in order to get it right:

Client applications should generally reject self signed certificates, and instead validate a chain up to a CA that they trust. This CA can still be created by you, but you'll need to walk the extra kilometer.

Really, it's just a couple of meters:

https://gist.github.com/igalic/4943106 -- The explanation and comments in this Makefile should help with that, or so I like to think.

The other problem with this is that it will not teach you how TLS works, or rather, how it should work, and what you as application programmer need to do in order to get it right:

Client applications should generally reject self signed certificates, and instead validate a chain up to a CA that they trust. This CA can still be created by you, but you'll need to walk the extra kilometer.

Really, it's just a couple of meters:

https://gist.github.com/igalic/4943106 -- The explanation and comments in this Makefile should help with that, or so I like to think.

Thanks for this gist!

I'm interested in doing this all programmatically. I found that I can pass in info for the prompts with the -subj flag. Reference from http://www.codenes.com/blog/?p=300#comment-2068

Here's the command I ended up using:

openssl req -new -newkey rsa:2048 -sha1 -days 365 -nodes -x509 -subj "/C=US/ST=Colorado/L=Colorado Springs/O=SW/CN=localhost.ssl" -keyout server.key -out server.crt

Thanks for this gist!

I'm interested in doing this all programmatically. I found that I can pass in info for the prompts with the -subj flag. Reference from http://www.codenes.com/blog/?p=300#comment-2068

Here's the command I ended up using:

openssl req -new -newkey rsa:2048 -sha1 -days 365 -nodes -x509 -subj "/C=US/ST=Colorado/L=Colorado Springs/O=SW/CN=localhost.ssl" -keyout server.key -out server.crt

Tons of thanks for this gist. It made my testing easier :)

Tons of thanks for this gist. It made my testing easier :)

thanks man a lot!!

thanks man a lot!!

I did all the steps in the first outline, but failed at step 6. I got

Listening on 0.0.0.0:3000, CTRL+C to stop /Users/myname/.rvm/gems/ruby-2.0.0-p353/gems/eventmachine-1.0.3/lib/em/connection.rb:411:inblock in start_tls': Could not find server.key for start_tls (EventMachine::FileNotFoundException), etc, etc
`

I did all the steps in the first outline, but failed at step 6. I got

Listening on 0.0.0.0:3000, CTRL+C to stop /Users/myname/.rvm/gems/ruby-2.0.0-p353/gems/eventmachine-1.0.3/lib/em/connection.rb:411:inblock in start_tls': Could not find server.key for start_tls (EventMachine::FileNotFoundException), etc, etc
`

rceee, I got the same issue. I suspect it has to do with permissions, but I was not able to fix it with chown unfortunately (could just be my incompetence).

rceee, I got the same issue. I suspect it has to do with permissions, but I was not able to fix it with chown unfortunately (could just be my incompetence).

Cool, it was finally the only detailed solution on the web that worked for me.

Ain't there a way to add the thin start --ssl --ssl-verify --ssl-key-file server.key --ssl-cert-file server.crt somewhere in the development.rb file to being able to keep using rails server as a start command?

Thanks

Cool, it was finally the only detailed solution on the web that worked for me.

Ain't there a way to add the thin start --ssl --ssl-verify --ssl-key-file server.key --ssl-cert-file server.crt somewhere in the development.rb file to being able to keep using rails server as a start command?

Thanks

it appears --ssl-verify option can be removed (it is the default) in later versions of thin (~ 1.6)

it appears --ssl-verify option can be removed (it is the default) in later versions of thin (~ 1.6)

If you have problems directly importing the certificate into your system keychain, you might have to add it to the login keychain and trust it first, then unlock your system keychain and paste it there.

@trcarden and @igalic, thanks!

If you have problems directly importing the certificate into your system keychain, you might have to add it to the login keychain and trust it first, then unlock your system keychain and paste it there.

@trcarden and @igalic, thanks!

thin start --ssl -p 3001 worked for me!

thin start --ssl -p 3001 worked for me!

Can you explain more about "echo "127.0.0.1 localhost.ssl" | sudo tee -a /private/etc/hosts" ?

Can you explain more about "echo "127.0.0.1 localhost.ssl" | sudo tee -a /private/etc/hosts" ?

Hi @wangbourne, it's a way to pipe output into a file that requires sudo privileges. You can't pipe output of a sudo'd command with >. It's basically appending the echo command to the end of the file /private/etc/hosts.

Hi @wangbourne, it's a way to pipe output into a file that requires sudo privileges. You can't pipe output of a sudo'd command with >. It's basically appending the echo command to the end of the file /private/etc/hosts.

This worked for me (Rails 4.2)

$ thin start --ssl
>> Using rack adapter
>> Thin web server (v1.5.1 codename Straight Razor)
>> Maximum connections set to 1024
>> Listening on 0.0.0.0:3000, CTRL+C to stop

This worked for me (Rails 4.2)

$ thin start --ssl
>> Using rack adapter
>> Thin web server (v1.5.1 codename Straight Razor)
>> Maximum connections set to 1024
>> Listening on 0.0.0.0:3000, CTRL+C to stop