Teapot and SSL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

Teapot and SSL

horrido
I had this working some many months ago, but now I can't get it to work.
Really annoying. The entire process is so arcane...

My HTTP server starts like this:

Teapot stopAll.
Teapot on
   Get: blah blah blah

Then I visit http://localhost:1701/.

I created a self-signed cert called newcert.pem. My HTTPS server starts like
this:

Teapot stopAll.
secureServer := (ZnSecureServer on: 1443)
   certificate: '/home/richard/newcert.pem';
   logToTranscript;
   start;
   yourself.
teapot := Teapot configure: { #znServer -> secureServer }.
teapot
   Get: blah blah blah

When I visit https://localhost/, I get "Unable to connect". I tried
localhost:1701, localhost:1443, just about every damn port number I can
think of. No joy.

So what the devil am I doing wrong???



--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

Sven Van Caekenberghe-2


> On 20 Dec 2018, at 22:09, horrido <[hidden email]> wrote:
>
> I had this working some many months ago, but now I can't get it to work.
> Really annoying. The entire process is so arcane...
>
> My HTTP server starts like this:
>
> Teapot stopAll.
> Teapot on
>   Get: blah blah blah
>
> Then I visit http://localhost:1701/.
>
> I created a self-signed cert called newcert.pem. My HTTPS server starts like
> this:
>
> Teapot stopAll.
> secureServer := (ZnSecureServer on: 1443)
>   certificate: '/home/richard/newcert.pem';
>   logToTranscript;
>   start;
>   yourself.
> teapot := Teapot configure: { #znServer -> secureServer }.
> teapot
>   Get: blah blah blah
>
> When I visit https://localhost/, I get "Unable to connect". I tried
> localhost:1701, localhost:1443, just about every damn port number I can
> think of. No joy.
>
> So what the devil am I doing wrong???

First, this only works for Linux (as far as I know, have experienced, others have reported differently).

Second, a self-signed certificate is considered insecure (more so nowadays), so you will have to force your browser to continue through lots of scary warnings.

I just tried in Ubuntu 18.04.O1 LTS 64-bit, using Pharo 7 and FireFox, and it worked.

As an aside, I would not do stuff like this, SSL is no joke, it is serious business: a certificate means something for real. This is not something you slam on for fun in a demo. In production systems, it is much better to put nginx or something like that in front of your app to add high quality ssl (with infinitely more documentation, options, users, experience, etc ...), but even there a quick and dirty self signed certificate won't get you very far.

Sven





Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

Sven Van Caekenberghe-2


> On 21 Dec 2018, at 12:00, Sven Van Caekenberghe <[hidden email]> wrote:
>
> I just tried in Ubuntu 18.04.O1 LTS 64-bit, using Pharo 7 and FireFox, and it worked.

BTW, I made my certificate like this (on macOS):

prometheus:tmp sven$ mkdir ssl
prometheus:tmp sven$ cd ssl
prometheus:ssl sven$ openssl genrsa -out privkey.pem 1024
Generating RSA private key, 1024 bit long modulus
......................................++++++
......++++++
e is 65537 (0x10001)
prometheus:ssl sven$ openssl req -new -key privkey.pem -out certreq.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:BE
State or Province Name (full name) []:
Locality Name (eg, city) []:Hasselt
Organization Name (eg, company) []:Beta Nine
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:Sven Van Caekenberghe
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
prometheus:ssl sven$ openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.pem -out newcert.pem
Signature ok
subject=/C=BE/L=Hasselt/O=Beta Nine/CN=Sven Van Caekenberghe
Getting Private key
prometheus:ssl sven$ ( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem
prometheus:ssl sven$ ls
certreq.csr newcert.pem privkey.pem server.pem
prometheus:ssl sven$ ls -la server.pem
-rw-r--r--  1 sven  staff  1681 Dec 21 11:28 server.pem
prometheus:ssl sven$ pwd
/Users/sven/tmp/ssl
prometheus:ssl sven$
Display all 2771 possibilities? (y or n)
prometheus:ssl sven$ ls
certreq.csr newcert.pem privkey.pem server.pem


Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

horrido
In reply to this post by Sven Van Caekenberghe-2
Okay, I will dispense with the self-signed certificate and purchase a
commercial one, say, from Comodo (PositiveSSL).

I presume once I get it, the code below will work correctly (?). If not,
I'll be back.


Sven Van Caekenberghe-2 wrote
>> On 20 Dec 2018, at 22:09, horrido &lt;

> horrido.hobbies@

> &gt; wrote:
>>
>> I had this working some many months ago, but now I can't get it to work.
>> Really annoying. The entire process is so arcane...
>>
>> My HTTP server starts like this:
>>
>> Teapot stopAll.
>> Teapot on
>>   Get: blah blah blah
>>
>> Then I visit http://localhost:1701/.
>>
>> I created a self-signed cert called newcert.pem. My HTTPS server starts
>> like
>> this:
>>
>> Teapot stopAll.
>> secureServer := (ZnSecureServer on: 1443)
>>   certificate: '/home/richard/newcert.pem';
>>   logToTranscript;
>>   start;
>>   yourself.
>> teapot := Teapot configure: { #znServer -> secureServer }.
>> teapot
>>   Get: blah blah blah
>>
>> When I visit https://localhost/, I get "Unable to connect". I tried
>> localhost:1701, localhost:1443, just about every damn port number I can
>> think of. No joy.
>>
>> So what the devil am I doing wrong???
>
> First, this only works for Linux (as far as I know, have experienced,
> others have reported differently).
>
> Second, a self-signed certificate is considered insecure (more so
> nowadays), so you will have to force your browser to continue through lots
> of scary warnings.
>
> I just tried in Ubuntu 18.04.O1 LTS 64-bit, using Pharo 7 and FireFox, and
> it worked.
>
> As an aside, I would not do stuff like this, SSL is no joke, it is serious
> business: a certificate means something for real. This is not something
> you slam on for fun in a demo. In production systems, it is much better to
> put nginx or something like that in front of your app to add high quality
> ssl (with infinitely more documentation, options, users, experience, etc
> ...), but even there a quick and dirty self signed certificate won't get
> you very far.
>
> Sven





--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

Sven Van Caekenberghe-2


> On 21 Dec 2018, at 21:42, horrido <[hidden email]> wrote:
>
> Okay, I will dispense with the self-signed certificate and purchase a
> commercial one, say, from Comodo (PositiveSSL).

But you cannot buy a certificate for localhost, only for a real domain name (that you host for real).

> I presume once I get it, the code below will work correctly (?). If not,
> I'll be back.

Linux only, I would say.

If you want to deploy for real, in some form of production, put nginx in front of pharo (as a proxy). That will work infinitely better and easier.

> Sven Van Caekenberghe-2 wrote
>>> On 20 Dec 2018, at 22:09, horrido &lt;
>
>> horrido.hobbies@
>
>> &gt; wrote:
>>>
>>> I had this working some many months ago, but now I can't get it to work.
>>> Really annoying. The entire process is so arcane...
>>>
>>> My HTTP server starts like this:
>>>
>>> Teapot stopAll.
>>> Teapot on
>>>  Get: blah blah blah
>>>
>>> Then I visit http://localhost:1701/.
>>>
>>> I created a self-signed cert called newcert.pem. My HTTPS server starts
>>> like
>>> this:
>>>
>>> Teapot stopAll.
>>> secureServer := (ZnSecureServer on: 1443)
>>>  certificate: '/home/richard/newcert.pem';
>>>  logToTranscript;
>>>  start;
>>>  yourself.
>>> teapot := Teapot configure: { #znServer -> secureServer }.
>>> teapot
>>>  Get: blah blah blah
>>>
>>> When I visit https://localhost/, I get "Unable to connect". I tried
>>> localhost:1701, localhost:1443, just about every damn port number I can
>>> think of. No joy.
>>>
>>> So what the devil am I doing wrong???
>>
>> First, this only works for Linux (as far as I know, have experienced,
>> others have reported differently).
>>
>> Second, a self-signed certificate is considered insecure (more so
>> nowadays), so you will have to force your browser to continue through lots
>> of scary warnings.
>>
>> I just tried in Ubuntu 18.04.O1 LTS 64-bit, using Pharo 7 and FireFox, and
>> it worked.
>>
>> As an aside, I would not do stuff like this, SSL is no joke, it is serious
>> business: a certificate means something for real. This is not something
>> you slam on for fun in a demo. In production systems, it is much better to
>> put nginx or something like that in front of your app to add high quality
>> ssl (with infinitely more documentation, options, users, experience, etc
>> ...), but even there a quick and dirty self signed certificate won't get
>> you very far.
>>
>> Sven
>
>
>
>
>
> --
> Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html
>


Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

Ben Coman
In reply to this post by horrido
On Sat, 22 Dec 2018 at 04:42, horrido <[hidden email]> wrote:
>
> Okay, I will dispense with the self-signed certificate and purchase a
> commercial one, say, from Comodo (PositiveSSL).

My web host uses "Lets Encrypt"
https://www.dreamhost.com/hosting/ssl-tls-certificates/

I haven't looked into it deeply, but I've had no trouble with it.

cheers -ben

Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

Pierce Ng-3
In reply to this post by horrido
On Fri, Dec 21, 2018 at 02:42:04PM -0600, horrido wrote:
> Okay, I will dispense with the self-signed certificate and purchase a
> commercial one, say, from Comodo (PositiveSSL).

Use Let's Encrypt-issued certificates, available without charge. Let's
Encrypt's CA certificate is built-in trusted by all the major web
browsers, meaning no action is required on the part of the web browser
user when visiting a site over HTTPS with certificate issued by Let's
Encrypt.

Use Caddy as reverse proxy for your webapp. Caddy has transparent
integration with Let's Encrypt: it generates/saves crypto keys, performs
the Let's Encrypt protocol dances to request for and renew Let's Encrypt
certificates, meaning no action is required on the part of the web
site/app administrator after setting it up.

Use Docker, which makes it easy to set up Caddy and your Pharo webapp.

See my recent blog post:

  https://www.samadhiweb.com/blog/2018.12.09.https.html

Pierce

Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

Sven Van Caekenberghe-2


> On 22 Dec 2018, at 03:59, Pierce Ng <[hidden email]> wrote:
>
> See my recent blog post:
>
>  https://www.samadhiweb.com/blog/2018.12.09.https.html

Wow, very well done, very well written, thank you.

Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

horrido
In reply to this post by Ben Coman
I've had tons of trouble trying to get Letsencrypt working. It was so
frustrating that I decided to go with PositiveSSL from Comodo. It only cost
me US$15.76 for two years, so I don't care about price.

Letsencrypt's setup procedure is extremely arcane. For a noob like myself,
this is not good.

Moreover, it's a PITA to have to manually renew every three months.
PositiveSSL removes all obstacles in one fell swoop.

I'm using nginx as a reverse proxy. Again, as a total noob, I used the
minimum, simplest configuration.

I need help with one issue, though. Do I need to enable SSL in Pharo? After
proxy pass, I only get HTTP.

Here's my reverse-proxy.conf:

*server {
    listen 80;
    location / {
    proxy_pass <a href="http://192.99.58.29:1701;">http://192.99.58.29:1701;
    }
}

server {
    listen 443;

    ssl_certificate /etc/nginx/cert_chain.crt;
    ssl_certificate_key /etc/nginx/cert.key;
    ssl on;

    location / {
    proxy_pass <a href="http://192.99.58.29:1701;">http://192.99.58.29:1701;
    }
}*

BTW, if you're curious about how my website looks, visit
https://teams.jrmpc.ca

It's still a work in progress. Things will undoubtedly change.



Ben Coman wrote
> On Sat, 22 Dec 2018 at 04:42, horrido &lt;

> horrido.hobbies@

> &gt; wrote:
>>
>> Okay, I will dispense with the self-signed certificate and purchase a
>> commercial one, say, from Comodo (PositiveSSL).
>
> My web host uses "Lets Encrypt"
> https://www.dreamhost.com/hosting/ssl-tls-certificates/
>
> I haven't looked into it deeply, but I've had no trouble with it.
>
> cheers -ben





--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

horrido
Why does the forum editor add those stupid anchor tags without permission???



horrido wrote

> I've had tons of trouble trying to get Letsencrypt working. It was so
> frustrating that I decided to go with PositiveSSL from Comodo. It only
> cost
> me US$15.76 for two years, so I don't care about price.
>
> Letsencrypt's setup procedure is extremely arcane. For a noob like myself,
> this is not good.
>
> Moreover, it's a PITA to have to manually renew every three months.
> PositiveSSL removes all obstacles in one fell swoop.
>
> I'm using nginx as a reverse proxy. Again, as a total noob, I used the
> minimum, simplest configuration.
>
> I need help with one issue, though. Do I need to enable SSL in Pharo?
> After
> proxy pass, I only get HTTP.
>
> Here's my reverse-proxy.conf:
>
> *server {
>     listen 80;
>     location / {
>     proxy_pass <a href="http://192.99.58.29:1701;">http://192.99.58.29:1701;
>     }
> }
>
> server {
>     listen 443;
>
>     ssl_certificate /etc/nginx/cert_chain.crt;
>     ssl_certificate_key /etc/nginx/cert.key;
>     ssl on;
>
>     location / {
>     proxy_pass <a href="http://192.99.58.29:1701;">http://192.99.58.29:1701;
>     }
> }*
>
> BTW, if you're curious about how my website looks, visit
> https://teams.jrmpc.ca
>
> It's still a work in progress. Things will undoubtedly change.
>
>
>
> Ben Coman wrote
>> On Sat, 22 Dec 2018 at 04:42, horrido &lt;
>
>> horrido.hobbies@
>
>> &gt; wrote:
>>>
>>> Okay, I will dispense with the self-signed certificate and purchase a
>>> commercial one, say, from Comodo (PositiveSSL).
>>
>> My web host uses "Lets Encrypt"
>> https://www.dreamhost.com/hosting/ssl-tls-certificates/
>>
>> I haven't looked into it deeply, but I've had no trouble with it.
>>
>> cheers -ben
>
>
>
>
>
> --
> Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html





--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

Sven Van Caekenberghe-2
In reply to this post by horrido


> On 22 Dec 2018, at 16:52, horrido <[hidden email]> wrote:
>
> I need help with one issue, though. Do I need to enable SSL in Pharo?

No

> After proxy pass, I only get HTTP.

That is the idea: the browser talks HTTPS to nginx which proxies to pharo in HTTP.


Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

Ben Coman
In reply to this post by horrido
On Sat, 22 Dec 2018 at 23:57, horrido <[hidden email]> wrote:
>
> Why does the forum editor add those stupid anchor tags without permission???

I'm not clear what you are referring to. Which anchor tags?

cheers -ben

Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

horrido
In reply to this post by Sven Van Caekenberghe-2
So you're saying that when users sign in with their passwords or otherwise
enter sensitive data, they're protected by SSL, even though the web
application is still operating through HTTP?



Sven Van Caekenberghe-2 wrote
>> On 22 Dec 2018, at 16:52, horrido &lt;

> horrido.hobbies@

> &gt; wrote:
>>
>> I need help with one issue, though. Do I need to enable SSL in Pharo?
>
> No
>
>> After proxy pass, I only get HTTP.
>
> That is the idea: the browser talks HTTPS to nginx which proxies to pharo
> in HTTP.





--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

horrido
In reply to this post by Ben Coman
I noticed this in my post...

*server {
    listen 80;
    location / {
    proxy_pass  <a href="http://192.99.58.29:1701;">http://192.99.58.29:1701;
    }
}

server {
    listen 443;

    ssl_certificate /etc/nginx/cert_chain.crt;
    ssl_certificate_key /etc/nginx/cert.key;
    ssl on;

    location / {
    proxy_pass <<a href="http://192.99.58.29:1701;">http://192.99.58.29:1701;>  <a href="http://192.99.58.29:1701;">http://192.99.58.29:1701;
    }
}* <<a href="http://192.99.58.29:1701;">http://192.99.58.29:1701;>
Ben Coman wrote
> On Sat, 22 Dec 2018 at 23:57, horrido &lt;

> horrido.hobbies@

> &gt; wrote:
>>
>> Why does the forum editor add those stupid anchor tags without
>> permission???
>
> I'm not clear what you are referring to. Which anchor tags?
>
> cheers -ben





--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

horrido
In reply to this post by horrido
Ignore this message. I got confused by my web browser. Everything is A-okay.



horrido wrote

> So you're saying that when users sign in with their passwords or otherwise
> enter sensitive data, they're protected by SSL, even though the web
> application is still operating through HTTP?
>
>
>
> Sven Van Caekenberghe-2 wrote
>>> On 22 Dec 2018, at 16:52, horrido &lt;
>
>> horrido.hobbies@
>
>> &gt; wrote:
>>>
>>> I need help with one issue, though. Do I need to enable SSL in Pharo?
>>
>> No
>>
>>> After proxy pass, I only get HTTP.
>>
>> That is the idea: the browser talks HTTPS to nginx which proxies to pharo
>> in HTTP.
>
>
>
>
>
> --
> Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html





--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

Offray Vladimir Luna Cárdenas-2
In reply to this post by Pierce Ng-3
HI,

On 21/12/18 21:59, Pierce Ng wrote:
> See my recent blog post:
>
>   https://www.samadhiweb.com/blog/2018.12.09.https.html


In your setup, you talk about SmallCMS1 as a blog engine that runs on
Pharo 6 and seems kind of integrated with Fossil. Brea [1] (in early
stages now), pursuits similar goals. Do you have any link to SmallCMS1?

[1] https://mutabit.com/repos.fossil/brea/

Thanks,

Offray


Reply | Threaded
Open this post in threaded view
|

Re: Teapot and SSL

Pierce Ng-3
On Sat, Dec 22, 2018 at 02:07:06PM -0500, Offray Vladimir Luna Cárdenas wrote:
> In your setup, you talk about SmallCMS1 as a blog engine that runs on
> Pharo 6 and seems kind of integrated with Fossil. Brea [1] (in early
> stages now), pursuits similar goals. Do you have any link to SmallCMS1?

Hi Offray,

I wrote SmallCMS1 as a programming exercise. Its code is like a ball of
wax and I have no plan to release it.

It's not particularly integrated to Fossil per se. SmallCMS1 serves
content from an open Fossil repo. The repo has a push-hook defined and
there is a Fossil server running for that repo.  When I 'fossil push'
from my laptop to the server, the push-hook is triggered to update the
repo, and the new content is transparently served by SmallCMS1. The
mechanism is conceptually similar to Git push hooks on which much has
been written.

I blogged about the pre-Docker setup.

  https://www.samadhiweb.com/blog/2016.08.12.fossil.html

I'm not satisfied with the way the Fossil thing is done for several
reasons, but hey it works for me on my computers. :-)

> [1] https://mutabit.com/repos.fossil/brea/

Good stuff!

Pierce