Chromecast self-signed SSL certificate - ssl

I've some problems with chromecast and self signed ssl certificate. I tried to implement my own receiver and registered my URL on Google Cast Developer Console.
Chromecast sender application trys to start and then i get some errors.
Does anyone knows if chromecast works with self signed certificates?

It won't work with self-signed certs. For development, you can consider using App Engine or Google Drive since both have valid certs.
Update: Google Drive is no longer an option.

You only need to worry about certs if you're app is ready to publish. During development you can work over HTTP. From https://developers.google.com/cast/docs/registration
"Enter a URL that the Google Cast device should request when loading your receiver app. During development the URL can use HTTP but when the app is published it has to use HTTPS. The URL may be for an HTML page or other file type accessible from a web browser. It's okay for your receiver to be on an internal (NAT-registered) IP address, but not on localhost, as it is rarely a top level domain. Although the receiver app must be served over SSL (HTTPS) when published, the content loaded on the receiver app may be served over HTTP.
Although the receiver app must be served over SSL (HTTPS), the content loaded on the receiver app may be served over HTTP."

Related

How to use firebase messaging without valid SSL certificate

I'm using google firebase Messaging for push notifications of my website.
my website doesn't have a domain. Its using HTTPS with self-signed certificate.
as i realized service worker needs HTTPS with valid SSL certificate. witch isn't available for sites without domain.
in some of other push notification services there is an option for HTTP websites that it opens a new window with a sub domain and notifications will be received from there.
is there any free option in any site that provides such future?
or
is there another option for me to pass invalid SSL error when enabling service worker?
btw: i'm aware about browsers flags for allowing self-signed certificate. i'm not gonna use that because i have some users now.
my frontend is a angular cli app running with nginx on a ubuntu server.

Separate SSL Certificates for Web Application and API

I have a data collection / reporting web application hosted on an AWS Lightsail instance with Ubuntu 18.04 OS and Apache2. I use a 'Lets Encrypt' SSL certificate on the site. This all works fine.
I also have an embedded device which uploads data to the website via an API. The embedded device is currently not operating on SSL, but I need to change this. The embedded device can communicate on SSL but its not easily updateable in the field. My concern is that the CA certificate that is embedded into the device cannot be updated, and so using the same 'Lets Encrypt' certificate, means that a change in the Lets encrypt certificate will render the remote embedded device unable to connect to the server.
The common solution to this problem is a self signed certificate over which I have total control, and yes this would fix the problem, but it would create another problem. If I use a self signed certificate, then any user connecting to the site to view data from their PC would get an Untrusted Certificate warning on their browser, which is not acceptable.
So, to fix this ideally I would have my web app protected by 'Lets Encrypt', but the API protected by a separate self signed certificate. However, both web app and API need to be on the same domain. Also they should ideally also both be on the same standard 443 https port.
Is there a way to setup the web app and API to serve different SSL certificates?

Where would be the best place to host my simple Flask API?

I have a Flask API which has no database but just a json file that stores the data. At the moment I have put it on an EC2 and opened a port so someone can put in the IP address and port and have access to the API that way. The problem with this is that I get a mixed content error since the site it uses is HTTPS and the API is HTTP. I want to put the API behind HTTPS on a proper platform but I'm not sure where to start.
Is there a platform that I can host the API python file and the json file behind an HTTPS?
All of them? EC2 allows HTTPS (per #tawfikboujeh's comment). I don't actually know a hosting platform that would allow HTTP but not HTTPS.
There are some options in how you accomplish this:
Use a self-signed certificate. This will give you HTTPS but all the modern browsers will give a nasty warning to all your visitors.
Purchase a signed certification for you IP address from a CA. Just hope you don't have to change your IP address.
Purchase a domain and use Let's Encrypt to generate a signed certificate for you.
Option 3 would be the most robust solution, but it does carry the cost of a domain (maybe $10/year).
Google App Engine is perfect for this. SSL cert is free, and you would be in their free tier.
https://cloud.google.com/free

Need free ssl certificate because google chrome doesn't support webcam without https

The new version of google chrome doesn't allow using webcam without https :
getUserMedia() no longer works on insecure origins. To use this
feature, you should consider switching your application to a secure
origin, such as HTTPS. See https://goo.gl/rStTGz for more details.
So I need a free ssl certificate (or cheap ssl certificate) for my web application. Openssl doesn't suit me because browsers display warning message when the ssl certificate is self-signed.
An idea ?
Thank you in advance.
use https://letsencrypt.org/ to get a free valid ssl certificate recognized by your mobile phone and by your web browser
I use cloudflare.com Origin Certificate. It is pretty good.

Does Chromecast come with a certificate bundle allowing simple webserver authentication/verification?

As I need to restrict webserver content to chromecast devices, I was hoping that chromecast devices have a certificate bundle, which can be used for authentication. The Chromecast documentation does not really state anything with regards to certificates.
So , my questions is does Chromecast come with a certificate bundle allowing the webserver to verify the client. iOS devices have sach a private/public certificate bundle, client verification/authentifcation using the public iOS certificate (.pem file).
The following snippet is part of a apache server configuration, I was hoping to extend this with Chromecast.
<Location /ios-hls-key>
HLSEncryptHostCipherKey true
HLSFmsDirPath ".."
HLSEncryptKeyRepository "../media"
SSLVerifyClient require
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "iPhoneOS Device Certificate"
</Location>
Anybody, knows or have any other ideas on how to limit webserver content to only chromecast devices?
Answer to the first part of the question is Yes. Chromecast uses a PKI to secure communication.
When Chromecast receiver app makes a secure http request (HTTPS/TLS), it is encrypted with a chromecast specific private key certificate (Which leads to Google). A server can use google's public key to decrypt the message and also extract information from the certificate if needed. This also means that you may not want to terminate the TLS on a load balancer and instead need the app server to do that. App server can store the google's public key and use it to decrypt it. There is a document which gives the details on how to decrypt and parse the certificate and what it has. I think if you have a developer account, you can get it.