I had this working some many months ago, but now I can't get it to work.
Really annoying. The entire process is so arcane... My HTTP server starts like this: Teapot stopAll. Teapot on Get: blah blah blah Then I visit http://localhost:1701/. I created a self-signed cert called newcert.pem. My HTTPS server starts like this: Teapot stopAll. secureServer := (ZnSecureServer on: 1443) certificate: '/home/richard/newcert.pem'; logToTranscript; start; yourself. teapot := Teapot configure: { #znServer -> secureServer }. teapot Get: blah blah blah When I visit https://localhost/, I get "Unable to connect". I tried localhost:1701, localhost:1443, just about every damn port number I can think of. No joy. So what the devil am I doing wrong??? -- Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html |
> On 20 Dec 2018, at 22:09, horrido <[hidden email]> wrote: > > I had this working some many months ago, but now I can't get it to work. > Really annoying. The entire process is so arcane... > > My HTTP server starts like this: > > Teapot stopAll. > Teapot on > Get: blah blah blah > > Then I visit http://localhost:1701/. > > I created a self-signed cert called newcert.pem. My HTTPS server starts like > this: > > Teapot stopAll. > secureServer := (ZnSecureServer on: 1443) > certificate: '/home/richard/newcert.pem'; > logToTranscript; > start; > yourself. > teapot := Teapot configure: { #znServer -> secureServer }. > teapot > Get: blah blah blah > > When I visit https://localhost/, I get "Unable to connect". I tried > localhost:1701, localhost:1443, just about every damn port number I can > think of. No joy. > > So what the devil am I doing wrong??? First, this only works for Linux (as far as I know, have experienced, others have reported differently). Second, a self-signed certificate is considered insecure (more so nowadays), so you will have to force your browser to continue through lots of scary warnings. I just tried in Ubuntu 18.04.O1 LTS 64-bit, using Pharo 7 and FireFox, and it worked. As an aside, I would not do stuff like this, SSL is no joke, it is serious business: a certificate means something for real. This is not something you slam on for fun in a demo. In production systems, it is much better to put nginx or something like that in front of your app to add high quality ssl (with infinitely more documentation, options, users, experience, etc ...), but even there a quick and dirty self signed certificate won't get you very far. Sven |
> On 21 Dec 2018, at 12:00, Sven Van Caekenberghe <[hidden email]> wrote: > > I just tried in Ubuntu 18.04.O1 LTS 64-bit, using Pharo 7 and FireFox, and it worked. BTW, I made my certificate like this (on macOS): prometheus:tmp sven$ mkdir ssl prometheus:tmp sven$ cd ssl prometheus:ssl sven$ openssl genrsa -out privkey.pem 1024 Generating RSA private key, 1024 bit long modulus ......................................++++++ ......++++++ e is 65537 (0x10001) prometheus:ssl sven$ openssl req -new -key privkey.pem -out certreq.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:BE State or Province Name (full name) []: Locality Name (eg, city) []:Hasselt Organization Name (eg, company) []:Beta Nine Organizational Unit Name (eg, section) []: Common Name (eg, fully qualified host name) []:Sven Van Caekenberghe Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: prometheus:ssl sven$ openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.pem -out newcert.pem Signature ok subject=/C=BE/L=Hasselt/O=Beta Nine/CN=Sven Van Caekenberghe Getting Private key prometheus:ssl sven$ ( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem prometheus:ssl sven$ ls certreq.csr newcert.pem privkey.pem server.pem prometheus:ssl sven$ ls -la server.pem -rw-r--r-- 1 sven staff 1681 Dec 21 11:28 server.pem prometheus:ssl sven$ pwd /Users/sven/tmp/ssl prometheus:ssl sven$ Display all 2771 possibilities? (y or n) prometheus:ssl sven$ ls certreq.csr newcert.pem privkey.pem server.pem |
In reply to this post by Sven Van Caekenberghe-2
Okay, I will dispense with the self-signed certificate and purchase a
commercial one, say, from Comodo (PositiveSSL). I presume once I get it, the code below will work correctly (?). If not, I'll be back. Sven Van Caekenberghe-2 wrote >> On 20 Dec 2018, at 22:09, horrido < > horrido.hobbies@ > > wrote: >> >> I had this working some many months ago, but now I can't get it to work. >> Really annoying. The entire process is so arcane... >> >> My HTTP server starts like this: >> >> Teapot stopAll. >> Teapot on >> Get: blah blah blah >> >> Then I visit http://localhost:1701/. >> >> I created a self-signed cert called newcert.pem. My HTTPS server starts >> like >> this: >> >> Teapot stopAll. >> secureServer := (ZnSecureServer on: 1443) >> certificate: '/home/richard/newcert.pem'; >> logToTranscript; >> start; >> yourself. >> teapot := Teapot configure: { #znServer -> secureServer }. >> teapot >> Get: blah blah blah >> >> When I visit https://localhost/, I get "Unable to connect". I tried >> localhost:1701, localhost:1443, just about every damn port number I can >> think of. No joy. >> >> So what the devil am I doing wrong??? > > First, this only works for Linux (as far as I know, have experienced, > others have reported differently). > > Second, a self-signed certificate is considered insecure (more so > nowadays), so you will have to force your browser to continue through lots > of scary warnings. > > I just tried in Ubuntu 18.04.O1 LTS 64-bit, using Pharo 7 and FireFox, and > it worked. > > As an aside, I would not do stuff like this, SSL is no joke, it is serious > business: a certificate means something for real. This is not something > you slam on for fun in a demo. In production systems, it is much better to > put nginx or something like that in front of your app to add high quality > ssl (with infinitely more documentation, options, users, experience, etc > ...), but even there a quick and dirty self signed certificate won't get > you very far. > > Sven -- Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html |
> On 21 Dec 2018, at 21:42, horrido <[hidden email]> wrote: > > Okay, I will dispense with the self-signed certificate and purchase a > commercial one, say, from Comodo (PositiveSSL). But you cannot buy a certificate for localhost, only for a real domain name (that you host for real). > I presume once I get it, the code below will work correctly (?). If not, > I'll be back. Linux only, I would say. If you want to deploy for real, in some form of production, put nginx in front of pharo (as a proxy). That will work infinitely better and easier. > Sven Van Caekenberghe-2 wrote >>> On 20 Dec 2018, at 22:09, horrido < > >> horrido.hobbies@ > >> > wrote: >>> >>> I had this working some many months ago, but now I can't get it to work. >>> Really annoying. The entire process is so arcane... >>> >>> My HTTP server starts like this: >>> >>> Teapot stopAll. >>> Teapot on >>> Get: blah blah blah >>> >>> Then I visit http://localhost:1701/. >>> >>> I created a self-signed cert called newcert.pem. My HTTPS server starts >>> like >>> this: >>> >>> Teapot stopAll. >>> secureServer := (ZnSecureServer on: 1443) >>> certificate: '/home/richard/newcert.pem'; >>> logToTranscript; >>> start; >>> yourself. >>> teapot := Teapot configure: { #znServer -> secureServer }. >>> teapot >>> Get: blah blah blah >>> >>> When I visit https://localhost/, I get "Unable to connect". I tried >>> localhost:1701, localhost:1443, just about every damn port number I can >>> think of. No joy. >>> >>> So what the devil am I doing wrong??? >> >> First, this only works for Linux (as far as I know, have experienced, >> others have reported differently). >> >> Second, a self-signed certificate is considered insecure (more so >> nowadays), so you will have to force your browser to continue through lots >> of scary warnings. >> >> I just tried in Ubuntu 18.04.O1 LTS 64-bit, using Pharo 7 and FireFox, and >> it worked. >> >> As an aside, I would not do stuff like this, SSL is no joke, it is serious >> business: a certificate means something for real. This is not something >> you slam on for fun in a demo. In production systems, it is much better to >> put nginx or something like that in front of your app to add high quality >> ssl (with infinitely more documentation, options, users, experience, etc >> ...), but even there a quick and dirty self signed certificate won't get >> you very far. >> >> Sven > > > > > > -- > Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html > |
In reply to this post by horrido
On Sat, 22 Dec 2018 at 04:42, horrido <[hidden email]> wrote:
> > Okay, I will dispense with the self-signed certificate and purchase a > commercial one, say, from Comodo (PositiveSSL). My web host uses "Lets Encrypt" https://www.dreamhost.com/hosting/ssl-tls-certificates/ I haven't looked into it deeply, but I've had no trouble with it. cheers -ben |
In reply to this post by horrido
On Fri, Dec 21, 2018 at 02:42:04PM -0600, horrido wrote:
> Okay, I will dispense with the self-signed certificate and purchase a > commercial one, say, from Comodo (PositiveSSL). Use Let's Encrypt-issued certificates, available without charge. Let's Encrypt's CA certificate is built-in trusted by all the major web browsers, meaning no action is required on the part of the web browser user when visiting a site over HTTPS with certificate issued by Let's Encrypt. Use Caddy as reverse proxy for your webapp. Caddy has transparent integration with Let's Encrypt: it generates/saves crypto keys, performs the Let's Encrypt protocol dances to request for and renew Let's Encrypt certificates, meaning no action is required on the part of the web site/app administrator after setting it up. Use Docker, which makes it easy to set up Caddy and your Pharo webapp. See my recent blog post: https://www.samadhiweb.com/blog/2018.12.09.https.html Pierce |
> On 22 Dec 2018, at 03:59, Pierce Ng <[hidden email]> wrote: > > See my recent blog post: > > https://www.samadhiweb.com/blog/2018.12.09.https.html Wow, very well done, very well written, thank you. |
In reply to this post by Ben Coman
I've had tons of trouble trying to get Letsencrypt working. It was so
frustrating that I decided to go with PositiveSSL from Comodo. It only cost me US$15.76 for two years, so I don't care about price. Letsencrypt's setup procedure is extremely arcane. For a noob like myself, this is not good. Moreover, it's a PITA to have to manually renew every three months. PositiveSSL removes all obstacles in one fell swoop. I'm using nginx as a reverse proxy. Again, as a total noob, I used the minimum, simplest configuration. I need help with one issue, though. Do I need to enable SSL in Pharo? After proxy pass, I only get HTTP. Here's my reverse-proxy.conf: *server { listen 80; location / { proxy_pass <a href="http://192.99.58.29:1701;">http://192.99.58.29:1701; } } server { listen 443; ssl_certificate /etc/nginx/cert_chain.crt; ssl_certificate_key /etc/nginx/cert.key; ssl on; location / { proxy_pass <a href="http://192.99.58.29:1701;">http://192.99.58.29:1701; } }* BTW, if you're curious about how my website looks, visit https://teams.jrmpc.ca It's still a work in progress. Things will undoubtedly change. Ben Coman wrote > On Sat, 22 Dec 2018 at 04:42, horrido < > horrido.hobbies@ > > wrote: >> >> Okay, I will dispense with the self-signed certificate and purchase a >> commercial one, say, from Comodo (PositiveSSL). > > My web host uses "Lets Encrypt" > https://www.dreamhost.com/hosting/ssl-tls-certificates/ > > I haven't looked into it deeply, but I've had no trouble with it. > > cheers -ben -- Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html |
Why does the forum editor add those stupid anchor tags without permission???
horrido wrote > I've had tons of trouble trying to get Letsencrypt working. It was so > frustrating that I decided to go with PositiveSSL from Comodo. It only > cost > me US$15.76 for two years, so I don't care about price. > > Letsencrypt's setup procedure is extremely arcane. For a noob like myself, > this is not good. > > Moreover, it's a PITA to have to manually renew every three months. > PositiveSSL removes all obstacles in one fell swoop. > > I'm using nginx as a reverse proxy. Again, as a total noob, I used the > minimum, simplest configuration. > > I need help with one issue, though. Do I need to enable SSL in Pharo? > After > proxy pass, I only get HTTP. > > Here's my reverse-proxy.conf: > > *server { > listen 80; > location / { > proxy_pass <a href="http://192.99.58.29:1701;">http://192.99.58.29:1701; > } > } > > server { > listen 443; > > ssl_certificate /etc/nginx/cert_chain.crt; > ssl_certificate_key /etc/nginx/cert.key; > ssl on; > > location / { > proxy_pass <a href="http://192.99.58.29:1701;">http://192.99.58.29:1701; > } > }* > > BTW, if you're curious about how my website looks, visit > https://teams.jrmpc.ca > > It's still a work in progress. Things will undoubtedly change. > > > > Ben Coman wrote >> On Sat, 22 Dec 2018 at 04:42, horrido < > >> horrido.hobbies@ > >> > wrote: >>> >>> Okay, I will dispense with the self-signed certificate and purchase a >>> commercial one, say, from Comodo (PositiveSSL). >> >> My web host uses "Lets Encrypt" >> https://www.dreamhost.com/hosting/ssl-tls-certificates/ >> >> I haven't looked into it deeply, but I've had no trouble with it. >> >> cheers -ben > > > > > > -- > Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html -- Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html |
In reply to this post by horrido
> On 22 Dec 2018, at 16:52, horrido <[hidden email]> wrote: > > I need help with one issue, though. Do I need to enable SSL in Pharo? No > After proxy pass, I only get HTTP. That is the idea: the browser talks HTTPS to nginx which proxies to pharo in HTTP. |
In reply to this post by horrido
On Sat, 22 Dec 2018 at 23:57, horrido <[hidden email]> wrote:
> > Why does the forum editor add those stupid anchor tags without permission??? I'm not clear what you are referring to. Which anchor tags? cheers -ben |
In reply to this post by Sven Van Caekenberghe-2
So you're saying that when users sign in with their passwords or otherwise
enter sensitive data, they're protected by SSL, even though the web application is still operating through HTTP? Sven Van Caekenberghe-2 wrote >> On 22 Dec 2018, at 16:52, horrido < > horrido.hobbies@ > > wrote: >> >> I need help with one issue, though. Do I need to enable SSL in Pharo? > > No > >> After proxy pass, I only get HTTP. > > That is the idea: the browser talks HTTPS to nginx which proxies to pharo > in HTTP. -- Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html |
In reply to this post by Ben Coman
I noticed this in my post...
*server { listen 80; location / { proxy_pass <a href="http://192.99.58.29:1701;">http://192.99.58.29:1701; } } server { listen 443; ssl_certificate /etc/nginx/cert_chain.crt; ssl_certificate_key /etc/nginx/cert.key; ssl on; location / { proxy_pass <<a href="http://192.99.58.29:1701;">http://192.99.58.29:1701;> <a href="http://192.99.58.29:1701;">http://192.99.58.29:1701; } }* <<a href="http://192.99.58.29:1701;">http://192.99.58.29:1701;> Ben Coman wrote > On Sat, 22 Dec 2018 at 23:57, horrido < > horrido.hobbies@ > > wrote: >> >> Why does the forum editor add those stupid anchor tags without >> permission??? > > I'm not clear what you are referring to. Which anchor tags? > > cheers -ben -- Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html |
In reply to this post by horrido
Ignore this message. I got confused by my web browser. Everything is A-okay.
horrido wrote > So you're saying that when users sign in with their passwords or otherwise > enter sensitive data, they're protected by SSL, even though the web > application is still operating through HTTP? > > > > Sven Van Caekenberghe-2 wrote >>> On 22 Dec 2018, at 16:52, horrido < > >> horrido.hobbies@ > >> > wrote: >>> >>> I need help with one issue, though. Do I need to enable SSL in Pharo? >> >> No >> >>> After proxy pass, I only get HTTP. >> >> That is the idea: the browser talks HTTPS to nginx which proxies to pharo >> in HTTP. > > > > > > -- > Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html -- Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html |
In reply to this post by Pierce Ng-3
HI,
On 21/12/18 21:59, Pierce Ng wrote: > See my recent blog post: > > https://www.samadhiweb.com/blog/2018.12.09.https.html In your setup, you talk about SmallCMS1 as a blog engine that runs on Pharo 6 and seems kind of integrated with Fossil. Brea [1] (in early stages now), pursuits similar goals. Do you have any link to SmallCMS1? [1] https://mutabit.com/repos.fossil/brea/ Thanks, Offray |
On Sat, Dec 22, 2018 at 02:07:06PM -0500, Offray Vladimir Luna Cárdenas wrote:
> In your setup, you talk about SmallCMS1 as a blog engine that runs on > Pharo 6 and seems kind of integrated with Fossil. Brea [1] (in early > stages now), pursuits similar goals. Do you have any link to SmallCMS1? Hi Offray, I wrote SmallCMS1 as a programming exercise. Its code is like a ball of wax and I have no plan to release it. It's not particularly integrated to Fossil per se. SmallCMS1 serves content from an open Fossil repo. The repo has a push-hook defined and there is a Fossil server running for that repo. When I 'fossil push' from my laptop to the server, the push-hook is triggered to update the repo, and the new content is transparently served by SmallCMS1. The mechanism is conceptually similar to Git push hooks on which much has been written. I blogged about the pre-Docker setup. https://www.samadhiweb.com/blog/2016.08.12.fossil.html I'm not satisfied with the way the Fossil thing is done for several reasons, but hey it works for me on my computers. :-) > [1] https://mutabit.com/repos.fossil/brea/ Good stuff! Pierce |
Free forum by Nabble | Edit this page |