1.4.0.rc1 SSL issue related to loading / using certs

Phoenix Forum Questions / Help
, , , ,
1

I followed the directions from Phoenix 1.4.0 released!

my env:

Erlang/OTP 20 [erts-9.3] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:10] [hipe] [kernel-poll:false]
Elixir 1.7.3 (compiled with Erlang/OTP 19)

I’ve done the following:

  • Updated cowboy to 2.5
  • Generated the certs via phx.gen.cert
  • Updated config to resolve the certs
https: [
    port: 4001,
    certfile: "priv/cert/selfsigned.pem",
    keyfile: "priv/cert/selfsigned_key.pem"
  ]

When trying to navigate to https://localhost:4001 I get

Console:
This site does not have a valid SSL certificate! Without SSL, your site's and visitors' data is vulnerable to theft and tampering. Get a valid SSL certificate before releasing your website to the public.

Request:

Request URL: https://localhost:4001/
Referrer Policy: no-referrer-when-downgrade

Provisional headers are shown
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

Response:

This site can’t be reached
The webpage at https://localhost:4001/ might be temporarily down or it may have moved permanently to a new web address.
ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

I don’t see any logs coming out of STDOUT. So I Think this is all within the context of the browser.
As far as I can tell the certs are valid, are in the correct path and that the config is set to the correct path.

The app compiles correct. I’m wondering if the app could compile if it failed to load the certs?
Does anyone know if cowboy would throw any kind of error if that was an issue loading/resolving the certs?

EDIT: it looks as if the certs have loaded into the browser but chrome does not like them.
Chrome: Version 69.0.3497.100 (Official Build) (64-bit)

Screenshot_10_20_18__10_29_AM
Screenshot_10_20_18__10_29_AM1918×1070 154 KB

2

The certificate is “self signed” meaning that a known (to the browser) certificate authority hasn’t signed it so the browser cannot verify trust. You’ll need to import the self signed cert into your browser so that the browser knows that you trust the certificate.

In Google Chrome go to chrome://settings/certificates and under “Your certificates” click on IMPORT

In Firefox go to about:preferences#privacy and under “Certificates” click “View Certificates” then under “Your Certificates” click on Import

1 Like
3

Awesome, thank you.

4

laravel valet (mac os only) can automatically make it’s generated certs be accepted by importing them into the keychain. Would be nice if phoenix could do that as well.

1 Like
5

Still running into an issue.

I’ve used the link in chrome to open OSx’s keychain.

Settings
Settings1642×194 14 KB

I’ve made sure to trust the cert.

Self-signed_test_certificate_and_Keychain_Access_and_localhost
Self-signed_test_certificate_and_Keychain_Access_and_localhost2276×1350 178 KB

I’ve reloaded my system and yet I get.

localhost
localhost1636×504 19.2 KB

Looks like its possibly related to

6

NOTE: when using Google Chrome, open chrome://flags/#allow-insecure-localhost
to enable the use of self-signed certificates on localhost.

That’s part of the mix task generating the ssl certificate. Did you do that as well?

1 Like
7

My bad, missed that part. Thanks

8

Hmm, looks like I already had it enabled.

chrome___flags__allow-insecure-localhost
chrome___flags__allow-insecure-localhost1770×202 29.6 KB

9

You need to add cipher_suite: :strong in dev.exs:

https: [
    port: 4001,
+   cipher_suite: :strong,
    certfile: "priv/cert/selfsigned.pem",
    keyfile: "priv/cert/selfsigned_key.pem"
  ]
5 Likes
10

Thank you so much for helping me, that was it. :tada:

2 Likes
11

You should mark his post as the solution then so it appears better in searches. :slight_smile:

2 Likes