1.4.0.rc1 SSL issue related to loading / using certs

I followed the directions from Phoenix 1.4.0 released!

my env:

Erlang/OTP 20 [erts-9.3] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:10] [hipe] [kernel-poll:false]
Elixir 1.7.3 (compiled with Erlang/OTP 19)

I’ve done the following:

  • Updated cowboy to 2.5
  • Generated the certs via phx.gen.cert
  • Updated config to resolve the certs
https: [
    port: 4001,
    certfile: "priv/cert/selfsigned.pem",
    keyfile: "priv/cert/selfsigned_key.pem"
  ]

When trying to navigate to https://localhost:4001 I get

Console:
This site does not have a valid SSL certificate! Without SSL, your site's and visitors' data is vulnerable to theft and tampering. Get a valid SSL certificate before releasing your website to the public.

Request:

Request URL: https://localhost:4001/
Referrer Policy: no-referrer-when-downgrade

Provisional headers are shown
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

Response:

This site can’t be reached
The webpage at https://localhost:4001/ might be temporarily down or it may have moved permanently to a new web address.
ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

I don’t see any logs coming out of STDOUT. So I Think this is all within the context of the browser.
As far as I can tell the certs are valid, are in the correct path and that the config is set to the correct path.

The app compiles correct. I’m wondering if the app could compile if it failed to load the certs?
Does anyone know if cowboy would throw any kind of error if that was an issue loading/resolving the certs?

EDIT: it looks as if the certs have loaded into the browser but chrome does not like them.
Chrome: Version 69.0.3497.100 (Official Build) (64-bit)

The certificate is “self signed” meaning that a known (to the browser) certificate authority hasn’t signed it so the browser cannot verify trust. You’ll need to import the self signed cert into your browser so that the browser knows that you trust the certificate.

In Google Chrome go to chrome://settings/certificates and under “Your certificates” click on IMPORT

In Firefox go to about:preferences#privacy and under “Certificates” click “View Certificates” then under “Your Certificates” click on Import

1 Like

Awesome, thank you.

laravel valet (mac os only) can automatically make it’s generated certs be accepted by importing them into the keychain. Would be nice if phoenix could do that as well.

1 Like

Still running into an issue.

I’ve used the link in chrome to open OSx’s keychain.

I’ve made sure to trust the cert.

I’ve reloaded my system and yet I get.

Looks like its possibly related to
https://github.com/webpack/webpack-dev-server/issues/854#issuecomment-292445914

NOTE: when using Google Chrome, open chrome://flags/#allow-insecure-localhost
to enable the use of self-signed certificates on localhost.

That’s part of the mix task generating the ssl certificate. Did you do that as well?

1 Like

My bad, missed that part. Thanks

Hmm, looks like I already had it enabled.

You need to add cipher_suite: :strong in dev.exs:

https: [
    port: 4001,
+   cipher_suite: :strong,
    certfile: "priv/cert/selfsigned.pem",
    keyfile: "priv/cert/selfsigned_key.pem"
  ]
5 Likes

Thank you so much for helping me, that was it. :tada:

2 Likes

You should mark his post as the solution then so it appears better in searches. :slight_smile:

2 Likes