Self-signed SSL cert for localhost, how to make trusted - javascript

I have an Owin self-host C# app that provides Web API services over 127.0.0.1:5555 (it only listens on localhost, no external connections).
These Web API services are called using Ajax from an AngularJS app. As an aside: the reason for the Owin app is that certain interaction with the hardware is needed, which is not possible from within a browser. Also, the AngularJS app is for internal use, so I have control over the browsers used.
The above works very well over HTTP, but the Angular JS app needs to use SSL, which does not work unless the Owin app also uses SSL (otherwise you get "Mixed content" errors).
I have bought an official cert for the AngularJS app, and I am using self-signed certs for the Owin localhost stuff.
The problem is that I get "NET::ERR_CERT_AUTHORITY_INVALID" (when testin from Chrome) and "net::ERR_INSECURE_RESPONSE" from the AngularJS app when talking to the Owin Web API.
Here is what I have done, in broad strokes:
I used a CentOS box to generate the cert for localhost and exported it to pkcs12 / pfx format. I also generated a CA cert and exported it the same way.
Using MMC I imported the localhost cert on the Windows 7 machine running the Angular & Owin app into Certificates (Local Computer) > Personal > Certificates.
I also imported the CA cert on the Windows 7 machine into Certificates (Local Computer) > Trusted Root Certification Auhorities > Certificates
Looking at the localhost cert, it says "Issued to: localhost", Issued by: "ca.acme.com", "You have a private key that correpsonds to this certificate", (under Certification Path) "This certificate is Ok"
The CA cert says "Issued to: ca.acme.com", Issued by: "ca.acme.com", "You have a private key that correpsonds to this certificate", (under Certification Path) "This certificate is Ok"
netsh http show sslcert
IP:port : 127.0.0.1:5555
Certificate Hash : 1234555555555555555555511155555555555555
Application ID : {1234a123-1234-1234-1234-123412341234}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
What am I missing? How can I make Chrome, etc. trust the SSL cert for localhost?

I got this working (sufficiently for my current needs, at least).
I copied the localhost cert from "Certificates (Local Computer) > Personal > Certificates" to "Certificates (Current User) > Personal > Certificates". This got rid of the red cross-out of https in Chrome (and the "NET::ERR_CERT_AUTHORITY_INVALID" message) as well as the "net::ERR_INSECURE_RESPONSE" error in AngularJS.
Note that in my case, the localhost cert had to be in both the Local Computer store and in the Current User Store, otherwise the netsh command for binding it to port 5555 (for the Owin app) would fail:
netsh http add sslcert ipport=127.0.0.1:5555 certhash=1234555555555555555555511155555555555555 appid={1234a123-1234-1234-1234-123412341234}
SSL Certificate add failed, Error: 1312, A specified logon session does not exist. It may already have been terminated.
There is still no nice green padlock in Chrome (it now has a yellow little triangle on the pad lock, "The identity of this website has been verified by ca.acme.com but does not have public audit records"), but this does not seem to interfere with the Web API communication, so it should be fine.
If anybody knows of an easy way to make it all green and nice with no warnings, I am still interested, but it is not critical.

On Linux I had to apt-gt install libnss3-tools
With libnss3-tools you get certutil
Now the key-command:
certutil -d sql:$HOME/.pki/nssdb -A -t "CP,CP," -n <your alias> -i <your crt-file to import>
This solve all my problems with Chrome on Raspberry / Linux

Related

Graphql server - Can't access via IP address url (localhost works fine)

I would like to link my Expo(React Native) app to local GraphQL backend,
http://localhost:4000/ <- Works fine
http://192.168.X.X:4000/ <- This doesn't work
I do see the Apollo Studio page, but it comes up with the below message:
Unable to reach server
Network requests from Studio on HTTPS to your HTTP endpoint are not secure,
so we cannot introspect your endpoint.
https://studio.apollographql.com/sandbox/explorer
Apollo Studio has a special exception that allows it to communicate with "localhost" over http, but all other endpoints must be over https.
If you (like me) are running virtual machines on your local machine and need to use Apollo Studio, the only solutions are to make the connection https somehow, or forward a port in your host OS so that you can access it via localhost. How to do THAT depends on your OS.

How to get SSL certificate for homemade webserver

I've created my own webserver using Node.js ans is using it with my DNS from webhost routed to my raspberry pi at home.
How do I prepare the webserver and all the files for getting an SSL certificate using Let'sencrypt?
I've not made any work prior to getting the SSL other than creating the server to run on localhost. Now it's running on a public ip while using my purchased DNS.
I haven't been able to find any litterature other than the off the shelf webservers like apache and such and I really want to run with my own.

JavaScript GetUserMedia using Chrome with localhost without HTTPS

I didn't know how to express it in the title, but I'm having an issue with Chrome.
I'm trying to use GetUserMedia() and GetPosition() in Chrome. I know that it requires SSL certification first, unless you're on localhost. The thing is, I can't try my project on my computer, so I must use my smart phone, and in order to access localhost through my smartphone, I must use the machine's IP address (192.168.1.4). The problem is that Chrome doesn't consider this IP address as localhost, so it requires an SSL certificate.
Is there any way I can test my project on my smartphone without having to install an SSL certififcate?
Add your IP address to Chrome's Insecure origins treated as secure setting.
Go to chrome://flags/#unsafely-treat-insecure-origin-as-secure in Chrome.
Find the Insecure origins treated as secure setting.
Enable it.
Enter in http://cntral.me:3000.
Relaunch Chrome.
Voila!
See https://medium.com/#Carmichaelize/enabling-the-microphone-camera-in-chrome-for-local-unsecure-origins-9c90c3149339 for a good walkthrough as well.
You can use a service like https://ngrok.com/ to map a public DNS address with SSL certificate to a port on your local machine.
I assume you're trying to host a Web service on a computer and access it from a smart phone using the hostname localhost.
Two options come to mind:
First, if your smart phone is rooted, you can change /etc/hosts so that the name localhost resolves to 192.168.1.4 instead of to 127.0.0.1.
Second, if you can run an SSH server on your computer, you can set up an SSH client on your phone to forward traffic on some port to another port on a different machine.
For example, in ConnectBot for Android, you can
create a profile for your computer running an SSH server on 192.168.1.4
long-press the profile, and select "Edit port forwards" and then "Add port forward" from the port forwarding menu
configure it to "Local" and then choose a local source port that can be claimed by a non-root user on your phone (say, 8080) and on the bottom line, use localhost:80 (or whatever port the computer is running the service on) to make the SSH server have the forwarding tunnel direct to itself on port 80
This will cause all traffic directed at localhost:8080 on your phone to go to 192.168.1.4:80 on your computer. The browser has no idea that the localhsot:8080 service is actually just an SSH tunnel to 192.168.1.4:80, so it will treat it like any other localhost address.
You can do this without an SSL certificate at all by tunneling the webserver to your phone's localhost.
I use termux to run this command (on the phone itself):
ssh -L 8080:localhost:8080 192.168.0.172
(Leave the ssh session open)
Then go to http://localhost:8080/ on your phone.
If you don't want the session to time out, you can use autossh:
autossh -M 0 -L 8080:localhost:8080 192.168.0.172
Important note: Your development machine (or dev server) needs to be accessible through ssh. For Linux, this can be done by installing open-ssh and enabling/starting the sshd service. You can look up guides for this online.

How can I establish a secure connection to a websocket on localhost?

We have an application which we run on a POS terminal, that should receive data from an application running on the same machine, while displaying content from a remote site which is loaded over HTTPS.
To receive the data from the local application, we want to use websockets, which is working fine so far. However, when the site we're displaying is loaded over HTTPS, the websocket connection is required to be encrypted as well.
Because we can't really get a proper certificate for localhost, we're just using a self-signed one. But Chrome won't connect to a websocket that uses a self-signed certificate.
How can we resolve this problem? We can't use an unencrypted websocket, we can't use a self-signed certificate for the encrypted one and we can't get a signed certificate for localhost. What option am I missing?
If you have admin privileges on the POS terminals, how about adding a line to the HOSTS file like:
127.0.0.1 localhost.mycompany.com
Now you can use a real certificate for localhost.mycompany.com in the server application.

Node.js on Azure Worker Role w/ SSL results in ERR_SSL_PROTOCOL_ERROR

I have a WorkerRole configured to start node.exe via the Runtime/EntryPoint/ProgramEntryPoint element in the csdef and have a HttpsIn EndPoint configured for https on port 443 w/ a valid certificate. I'm also setting the PORT environment variable in Runtime/Environment which is used by node to listen on for incoming requests.
When I start the service (either in local dev fabric or in Azure) and try to hit the service I get the following error:
SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
I have verified that node.exe is indeed started when the service starts, and if I look up the local port in the Compute Emulator, usually something like:
http://localhost:444
I am able to successfully hit node directly with that using my browser. I am also able to hit node through Azure when SSL is not configured.
What am I missing? Thanks!
The issue was that I was using the http module instead of the https module when starting the web server in Node. Works once I started the https server using the ssl certificate.
I was following a guide for SSL w/ Node in a WebRole, which requires a different set up than SSL w/ Node in WorkerRole.

Categories