OS: Lubuntu 20.04 desktop (inside Virtualbox)
What happened
I've been using php -S 0.0.0.0:8080 -t /path/to/app/
to provide a simple web server.
But now I need to test my web app over https
, and was hoping to use another simple one-liner.
I came across this article, Create a simple HTTPS server with OPENSSL S_SERVER, and followed the instructions:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
which generated key.pem
and cert.pem
openssl s_server -key key.pem -cert cert.pem -accept 4433 -www
which started up with
Using default temp DH parameters
ACCEPT
Pointing the browsers (Chromium 123 and Firefox 125) at https://192.168.2.122:4433/
(and having answered 'take me to the page' in response to the self-signed certificate warning) they show the status page as per -www
.
Notable lines:
Secure Renegotiation IS NOT supported
no client certificate available
Added (four times) to the terminal output is:
139808479769920:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46
Replacing -www
with -WWW
, and regardless of whether I give a file path, I get the same error on the terminal when a browser tries to connect. And on the browser I get:
Error opening ''
140068799104320:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('','r')
140068799104320:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
Web searches for answers
SSL alert number 46. Alert certificate unknown. How to ignore this exceptions?
...this alert is generated by the browser during the TLS handshake: the browser tells the server this way that it will not accept the certificate sent by the server. After this alert is sent the browser will close the connection.
The only way to fix this problem is to use a certificate trusted by the browser. In case of a self-signed certificate this means that you either have to import the certificate into the browser as trusted (in which case Subject Alternative Names in certificate must match the URL) or you add an explicit exception at the warning dialog you get when visiting the site.
There's no warning dialogue that takes care of this, so I can't take that option.
Ramifications of including "localhost" in the subject alternative field of an x509 certificate?
...you cannot know if this is your certificate for localhost or certificate of some other party. Thus, despite valid certificate, you would not know who you are talking to. A consequence is a possibility of man in the middle attack...
So I should not use localhost
as a Subject Alternative Name.
These values are called Subject Alternative Names (SANs). Names include:2 Email addresses, IP addresses, ...
But I can (maybe) use my local ip address.
Which would/might be great if the questions asked at the terminal after issuing the openssl command to create a certificate and key included Subject Alternative Names.
In Let's Encrypt's Certificates for localhost under 'Making and trusting your own certificates', there's a slightly different openssl command (the does contain Subject Alternative Names) to create the certificate. (I still get the same result.) But then it says,
You can then configure your local web server with localhost.crt and localhost.key, and install localhost.crt in your list of locally trusted roots.
Aha, that last part might be the key, so to speak.
A very comprehensive answer to How to make browser trust localhost SSL certificate? shows the use of the command trust anchor path/to/cert.crt
.
So, I tried that...
After a restart of Chromium...
With s_server -key localhost.key -cert localhost.crt -www
the output still says, "no client certificate available".
And with -WWW
, I still get "Error opening ''
etc" on the browser. [edited for clarity]
Under the heading 'Trusting certificates in a browser':
"In Chromium, and Firefox you can add (import) certificates to Authorities tab."
I tried importing the certificate in Chromium: "Certificate import error: The Private Key for this Client Certificate is missing or invalid"
The private key is in the same directory as the certificate.
But, in Chromium under 'Other', it's already been imported :) and marked as 'UNTRUSTED' :(
Help!
[Edit] Update:
I managed to get the errors reported by Chromium's Inspect > Security
tab down from two (Certificate - Subject Alternative name missing and Certificate - missing) to one by adding
-addext "subjectAltName = DNS:localhost"
to the openssl req -x509 ...
command. The detail of Certificate - missing is net::ERR_CERT_AUTHORITY_INVALID
.