Lemp Inc.

[nuoxoxo]

• tree
  • docker + some pre-req.
  • nginx
  • wordpress
  • mariadb

    docker & misc.

• Launch image
• Show an html page on localhost:8080
  • node
  • http-server -c 1
  • http-server -p 8080
  • python
  • python3 -m http.server -> 8000 by default
  • python3 -m http.server 8080
• Show an html page w/ SSL on localhost:443
  • see below

    why use HTTPS

    If your production website uses HTTPS, you want your local development site to behave like an HTTPS site. (if your production website doesn't use HTTPS, make it a priority to switch).

• SSL
  • definition. - Secure Sockets Layer
  • SSL is server side
  • SSL has to be installed on the server where website is hosted

[nuoxoxo]

Get HTTPS working on local environment

Solution

• OpenSSL
• Use OpenSSL to generate all of our certificates.

  Step 1: Root SSL certificate

• The first step is to create a Root SSL certificate. This root certificate can then be used to sign any number of certificates you might generate for individual domains.

  
  # generate a RSA-2048 key and save it in rootCA.key

$ openssl genrsa -des3 -out rootCA.key 2048

- This file will be used as the key to generate the Root SSL certificate. 
- You will be prompted for a pass phrase each time you use this key to generate a certificate.
```sh
# create a Root SSL certificate in _.pem, valid for 1024 days

openssl req   \
-x509 -new -nodes -key rootCA.key   \
-sha256 -days 1024 -out rootCA.pem

Step 2: Trust the root SSL certificate

Before you can use the newly created Root SSL certificate to start issuing domain certificates, there’s one more step. You need to to tell your Mac to trust your root certificate so all individual certificates issued by it are also trusted.

• (On Mac) Keychain Access
• Keychains > System
• Category > Certificates
• File > Import > import rootCA.pem
• Edit When using this certificate dropdown to Always Trust

Step 3: Domain SSL certificate

• The root SSL certificate can now be used to issue a certificate to the local dev env located at localhost.
• Use a script instead of typing everything on command line
• Create a OpenSSL configuration file server.csr.cnf and in it write

  
  [req]
  default_bits = 2048
  prompt = no
  default_md = sha256
  distinguished_name = dn

[dn] C=US ST=RandomState L=RandomCity O=RandomOrganization OU=RandomOrganizationUnit emailAddress=hello@example.com CN = localhost

- Create <kbd> v3.ext </kbd> file in order to create a <kbd> X509 v3 certificate </kbd>
```sh
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost

• Create a certificate key for localhost using the configuration settings stored in server.csr.cnf. This key is stored in server.key.

  openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )

• A certificate signing request is issued via the root SSL certificate we created earlier to create a domain certificate for localhost. The output is a certificate file called server.crt.

  openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext

  Step 4: Use your new SSL certificate

• Move the server.key and server.crt files to an accessible location on your server and include them when starting your server.