Allow (and test for) self-signed SSL certificates

[dabura667]

I am having trouble connecting to my instance of BWS through HTTPS.

I verified that locker, message relay service, and bws are all running, and I was able to access with Copay via http.

Then I generated self-signing keys PEM format cert and privkey. wrote those into config.js as well as uncomment the https:true.

Then I changed http to https on my bws setting in Copay and my logs show rejected CORS error on Copay.

BWS shows 0 logs of the incident. Not even the logs that normally are very chatty when receiving requests.

I will use http in the meanwhile, but does Copay <> BWS support self-signed BWS ssl cert?

[matiu]

AFAIK it has been never tested with self-signed certs. Also, IIRC the "cors" error is kind of "catch-all" error, so you may want to look that on the code (at angular-bitcore-wallet-client) and add a log of the actual error.

If you are using it from chrome app, also check that chorme allow self signed ssl in ajax.

Sorry thats all i can think to help.

On May 16, 2015, at 1:30 AM, dabura667 notifications@github.com wrote:

I am having trouble connecting to my instance of BWS through HTTPS.

I verified that locker, message relay service, and bws are all running, and I was able to access with Copay via http.

Then I generated self-signing keys PEM format cert and privkey. wrote those into config.js as well as uncomment the https:true.

Then I changed http to https on my bws setting in Copay and my logs show rejected CORS error on Copay.

BWS shows 0 logs of the incident. Not even the logs that normally are very chatty when receiving requests.

I will use http in the meanwhile, but does Copay <> BWS support self-signed BWS ssl cert?

— Reply to this email directly or view it on GitHub.

[dabura667]

I have tested with iPhone, Android, Chrome, and all give the same CORS error. (I even disabled all cert verification on Chrome to see if it would allow the connection but no dice.)

Low priority, as I am just messing around with it at this point. But in the future, once this [Insight - BWS - Copay] combination stabilizes, I would imagine corporations will want to use https and self-signed might be a valid demand.

Either way, I have given up and will just use it with http. If you could test self-signed and figure out a step-by-step on how to get it working / fix whatever is preventing it in the code, that would be nice. However, definitely low priority, as it seems https works fine for you guys right now.

[matiu]

Can you try the following?

Using your server with http, check the request on the console log (accessing copay with google chrome) and grab the auth headers (x-identity and x-signature) for a /bws/api/wallets request.

The set the server to use SSL and make the same request using curl like this:

curl -v  'https://localhost:433/bws/api/v1/wallets'  --header "x-identity:xxxxxxxxxxxxxxxxxxxxxxxxxx" --header 'x-signature:30xxxxxxxxxxxxxxxxxxxxxxxxx' 

Please let use know how it goes. Thanks!

[dabura667]

I can't seem to get my Chrome to show me the requests...

I have dev mode on and I am watching Network traffic from the app (I think) but I don't see any headers like the one you mentioned when connected via http.

[dabura667]

ok nvm, I got it... testing my https on my server now

[dabura667]

hmm... 443 not 433 btw.

curl is giving me an untrusted certificate error.

ignoring it with -vk instead of -v get's me a 404...

Then trying with https://localhost:3232/... (which is the port bws is listening for) with -vk I get an "invalid signature" response. "Unauthorized"

I think the signature is signing a unique challenge and this is why the sig is invalid?

[matiu]

signatures for GET requests cover the HTTP method and URL, so it should work. Be sure of including the ?r=xxx parameter.

On Mon, May 18, 2015 at 12:07 PM, dabura667 notifications@github.com wrote:

hmm... 443 not 433 btw.

curl is giving me an untrusted certificate error.

ignoring it with -vk instead of -v get's me a 404...

Then trying with https://localhost:3232/... (which is the port bws is listening for) I get an "invalid signature" response. "Unauthorized"

I think the signature is signing a unique challenge and this is why the sig is invalid?

— Reply to this email directly or view it on GitHub https://github.com/bitpay/bitcore-wallet-service/issues/215#issuecomment-103089987 .

Matías Alejo Garcia @ematiu Roads? Where we're going, we don't need roads!

[dabura667]

I need to get to bed. I will try more tomorrow if I have time.

[dabura667]

@matiu Ok, I tried with curl -vk on "https://localhost:3232/bws/api... using the headers from my chrome wallet and the ?r value. I got my wallets info!

BUT if I use curl -v instead of -vk I get an "untrusted certificate" error. + no wallet info.

[dabura667]

I just purchased a trusted cert via positivessl with a money-back guarantee.

Even using this trusted ssl cert in config.js is not working.

I found online that curl doesn't trust any CA by default, so as always, -v doesn't work, and -vk does work... but all Copay clients are not connecting when I point them to https://{ipaddress}:3232/bws/api

Let me double check the process from switching to https from http.

1. http server is running, I can see it is working with Copay.
2. I perform "kill pid" to kill "node bws.js" process.
3. I check that the process is done.
4. I edit config.js Lines 10, 11, and 12 to remove comment and enter the values https: true, privatekey: '/full/path/to/pem/privatekey.pem', certificate: '/full/path/to/pem/cert.pem'
5. save config.js
6. run "nohup node bws.js &"
7. attempt to connect through Copay app.

Is my steps wrong? Am I missing something?

[matiu]

Thanks for the update!

I think the 'untrusted ceritificate' error at curl is OK, that is what you get what you use self signed certs (there is no way for the client to verify that cert with the root CAs).

[dabura667]

@matiu If you have time to check my method of switching to https... I think maybe I am missing something.

[matiu]

I am reviewing the code at bitcore-wallet-client, and I think I found an error regarding the port parameter. Could you try running the https server at the standard port and see if that works?

[dabura667]

I have an apache server running and it starts to redirect 443 to other places and serves me a webpage of mine.

I need to set up apache to redirect my bws subdomain to 3232... but I keep breaking it.

[dabura667]

Copay is using bitcore-wallet-client in the background? TIL

[matiu]

as a library, to access BWS.

in bower.json, it depends on angular-bitcore-wallet-client, which depends on bitcore-wallet-client.

On Wed, May 20, 2015 at 10:31 AM, dabura667 notifications@github.com wrote:

Copay is using bitcore-wallet-client in the background? TIL

— Reply to this email directly or view it on GitHub https://github.com/bitpay/bitcore-wallet-service/issues/215#issuecomment-103889630 .

Matías Alejo Garcia @ematiu Roads? Where we're going, we don't need roads!