-
-
Save tadast/9932075 to your computer and use it in GitHub Desktop.
| # 1) Create your private key (any password will do, we remove it below) | |
| $ cd ~/.ssh | |
| $ openssl genrsa -des3 -out server.orig.key 2048 | |
| # 2) Remove the password | |
| $ openssl rsa -in server.orig.key -out server.key | |
| # 3) Generate the csr (Certificate signing request) (Details are important!) | |
| $ openssl req -new -key server.key -out server.csr | |
| # IMPORTANT | |
| # MUST have localhost.ssl as the common name to keep browsers happy | |
| # (has to do with non internal domain names ... which sadly can be | |
| # avoided with a domain name with a "." in the middle of it somewhere) | |
| Country Name (2 letter code) [AU]: | |
| ... | |
| Common Name: localhost.ssl | |
| ... | |
| # 4) Generate self signed ssl certificate | |
| $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt | |
| # 5) Finally Add localhost.ssl to your hosts file | |
| $ echo "127.0.0.1 localhost.ssl" | sudo tee -a /private/etc/hosts | |
| # 6) Boot puma | |
| $ puma -b 'ssl://127.0.0.1:3000?key=/Users/tadas/.ssh/server.key&cert=/Users/tadas/.ssh/server.crt' | |
| # 7) Add server.crt as trusted !!SYSTEM!! (not login) cert in the mac osx keychain | |
| # Open keychain tool, drag .crt file to system, and trust everything. | |
| # Notes: | |
| # 1) Https traffic and http traffic can't be served from the same process. If you want | |
| # both you need to start two instances on different ports. | |
| # | |
| # |
@etozzato I might be wrong, but your gist looks over-engineered.
yes, it's plausible! 👍
You can generate a trusted localhost cert by using letsencrypt and creating a certificate like localhost.domain.com (or *.localhost.domain.com for wildcards), verify that with a dns challenge, which usually involves creating an _acme_challenge TXT record. Then, once you have passed the challenges and have the cert, point localhost.domain.com to 127.0.0.1
If you have a multi-tenant app, you can create a wildcard cert also, but you'll have to go through the extra step of manually adding subdomains to localhost.domain.com to/etc/hosts and your config/enviroments/development.rb (assuming this is a rails app)
In order to run with Rails (version 7),
bin/rails s -u puma -b 'ssl://127.0.0.1:3000?key=server.key&cert=server.crt&verify_mode=peer&ca=server.crt'
There is a fantastic tool called mkcert which eliminates most of the pain of generating self signed certs and installing them as trusted certs on your machine - https://github.com/FiloSottile/mkcert. Way easier than trying wrangle OpenSSL commands and APIs.
I would like to recommend this approach as well.
I am no SSL guru, so I had a long battle trying to get local SSL to work a my new computer (it works fine on my older one). At some point I even had subjectively non-deterministic results where my SSL would work for a minute or two and then stop working with no apparent change in anything.
Using the mkcert on my macOS computer via homebrew solved the problem very quickly and easily.
@TheNotary thanks for getting back at me. You'd probably have to spawn a new server using OpenBSD, check out:
https://github.com/basicfeatures/openbsd-rails
Does SSL/TLS termination before Puma as Puma isn't really suited for this. Check out https://github.com/ErwinM/acts_as_tenant for multiple domains/subdomains, or message me.
@etozzato I might be wrong, but your gist looks over-engineered.