I want to test building Progressive Web Apps and know this requires SSL. I am able to test onlocalhost (using npm http_server) but would like to test from other machines on the same local network and some mobile devices, so I need https and an SSL certificate.
I have tried using XAMPP on a windows machine, and made a certificate using makecert, but even though I installed it on Chrome on another machine, it didn't work.
Any ideas how I can achieve this ie run web server of some kind on one Windows 10 machine, host the pages using SSL and browse from another and mobile devices?
Do I have to use 3rd party certs, and would these work on a local machine (eg by local IP) rather than a domain name?
Bit confused!
Related
I'm trying to communicate a web application with a desktop application and I'm trying websockets.
The desktop application will be the websocket server, and the web application is the client.
Customers will have to download the desktop app (available for Mac, Windows and Linux) and install in their own computer. The desktop application is just a 'print server' to print POS tickets directly, without browser's confirmation, open cash drawer, etc.
So, the websocket client will connect to wss://127.0.0.1 (own user desktop).
Ok, the application is working perfectly with a self signed SSL certificate, but... Is it enough for production?
I mean... What type of certificate do I need for this? Can I buy a SSL certificate for the 127.0.0.1 address?
Can I use a free self-signed certificate? Do browsers accept it?
I have developed the server desktop application for Mac, Windows and Linux (and the web app for the client side) and just need a proper certificate to release the service!
My software is intended to run on a Raspberry Pi.
After installing my software, a user can navigate to the webpage hosted by my software running on their Raspberry Pi from any device on their LAN.
I want my users to not have to worry about generating SSL certificates and such. Just install my software on their Raspberry Pi and navigate to the dashboard.
I can make my software automatically generate a self signed SSL certificate on the first run, but the users get warnings about self signed certificates in their browser and the site shows as insecure.
If I make my software use http instead, then chrome won't store cookies from the site so the users login doesn't last longer than one refresh.
I obviously can't distribute a CA signed certificate with my application since:
Anyone can get hold of this, so it won't be secure
It wouldn't work anyway since different users will have their Raspberry Pi on different IPs and hostnames
Is there any solution to be able to use secure HTTPS in this situation without getting warnings from browsers?
It's debatable whether this is a development question or not (it clearly isn't programming); personally I would say yes. However, it is certainly more topical in other Stacks where it has been discussed extensively e.g.:
https://serverfault.com/questions/1060268/ssl-for-devices-in-local-network
https://serverfault.com/questions/906015/how-to-setup-ssl-certs-for-a-lan-web-app-server
https://serverfault.com/questions/964119/enable-https-on-a-private-network
https://serverfault.com/questions/573528/ssl-tls-cert-get-alternative-name-to-work-with-lan-ip
https://serverfault.com/questions/447753/ssl-certificate-for-local-web-server
https://serverfault.com/questions/833178/ssl-with-no-warning-for-local-ips
https://serverfault.com/questions/1018020/distributing-ssl-certificates-to-all-browsers-in-an-active-directory-environment
(some focussed on Windows and especially AD though)
and:
https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network
https://security.stackexchange.com/questions/227020/is-https-required-for-local-network-server-to-server-communication
https://security.stackexchange.com/questions/251308/do-i-need-to-create-ssl-for-https-over-a-local-network
https://security.stackexchange.com/questions/103524/lets-encrypt-for-intranet-websites
https://security.stackexchange.com/questions/124235/deploy-intranet-application-with-ssl-certificate
I did find a few here, though, from years ago when topicality was wider:
HTTPS over intranet, what is the correct way of doing it
Are certificates useful for intranet SSL?
Do I need a SSL Certificate for an Intranet application
I'm trying to develop a A-frame-based VR experience.
I can test it on my mac via http://localhost but can't do the same using mobile phone or VR headset via http://192.168.1.123.
The problem is that those browsers demand that the page is served over HTTPS rather than HTTP, otherwise it denies access to the device motion sensor, making testing impossible.
Using the following instructions, I managed to successfully have my VR web page served over with a valid certificate.
https://www.freecodecamp.org/news/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec/
https://github.com/mattdesl/budo/blob/master/docs/command-line-usage.md#ssl-and-https
But, that is not enough, mobile device and headset access the page over a local-wifi IP like 192.168.1.123 rather than localhost and the ssl certificate doesn't seem to work for those, even if i replace localhost by the correct IP when generating the domain key & certificates.
i guess each device browser would need to have its trusted store updated or something...
Would be curious to know how people solved their problem in their a-frame local development and testing flow.
Partial answer -- for Oculus Quest or Go browser development at least.
You can use the Chrome remote device debugging tools:
https://developer.oculus.com/documentation/oculus-browser/browser-remote-debugging/
Then setup port forwarding for the remote device:
https://developers.google.com/web/tools/chrome-devtools/remote-debugging/local-server
This method allows you to sidestep the whole certificate thing since you can still use localhost:port to which the browser grants appropriate device permissions.
Since you can't use IP numbers, you want to include your local domain name into the certificate, like this:
https://stackoverflow.com/a/10176685/573216
Worked for me in a similar context.
Having an issue with my SSL certificate. Often it seems to work fine, but sometimes the user's browser throws up a warning that it is not trusted.
I know very little about SSL certificates, but here is some information that may or may not be relevant:
URL: demo.EnterpriseJazz.com
It is a wild card certificate because
the application uses subdomains (one subdomain per registered organization Example: BobsLawnCare.EnterpriseJazz.com)
The certificate was cheap for a wild card certificate, I paid around $50 for it if I remember correctly. I believe I got it from a cheap re-seller.
The server is located in my house on a Verizon FIOS business internet connection. It is not in a data center.
Seems to work fine with:
Safari on my new Macbook Pro
Chrome on my new Macbook Pro
Firefox on my windows machine
Microsoft Edge on my windows machine
Internet Explorer on my windows machine
Opera on my windows machine
Firefox on my Linux machine (CentOS)
Not trusted with:
Chrome on my iPhone 6s
Safari on my iPhone 6s (screen shots below)
Have a look at the SSLLabs report for this site. Apart from a shockingly insecure setup you will notice:
This server's certificate chain is incomplete.
This means that the client has not enough information to build the trust path to the root certificate and thus can not accept the certificate as trusted.
However a desktop browser will attempt to work around such setup problems by trying to fill in the missing chain certificates, i.e. downloading these from the web or using cached certificates from earlier connections to other clients. But apart from the desktop browsers most other clients will not do it and thus fail.
I had the exact same issue.
After futzing with every nook and cranny of my SSL and http setups, I finally realized "How silly I was to not check the URL first!"
My browser had been connecting to the regular non-trusted site (http://example.com) and I had blindly assumed that the broken lock icon meant something was wrong with my cert installation. Duh!
Modern browsers hiding the actual protocol letters behind a pretty icon or user-friendly message that conflates two issues into one - that didn't help.
My suggestion would be to first make sure you're hitting the https version of your site. If not, your first step to the solution is to create an automatic redirect of all http to https.
I hope getting to this post first helps at least 1% of those who had this problem. I'm in that 1%
I am currently on a mac using the pre-installed Apache server.
Now I need to cross-browser test some websites, and therefore I need to access my pages on some other computers. How can I make my localhost-sites accessible for other computers on my WiFi (without uploading to another server)?
Thanks in advance.
Apache server's default configuration should allow other computers (even ones not on your local network) to access whatever it's serving up.
You can access your server from another machine by using the IP address of your server. You can find the IP address of your server by finding a console (this works in Windows and Mac machines) and typing in "ipconfig". (For linux machines, it's "ifconfig".)