Crypt Server?

[John Lockwood]

Apologies for the fact this is somewhat off-topic. However the code is apparently based on munkiwebadmin code so it is slightly relevant.

In case anyone is unaware, Crypt Server provides a means of enforcing FileVault2 encryption and storing centrally the recovery keys without having to use iCloud to do so. The project is at https://github.com/grahamgilbert/Crypt-Server

I have successfully installed this and have it running in Apache as a WSGI site. I have also previously successfully got MunkiWebAdmin working also in Apache and I have managed to convert MunkiWebAdmin to run as a https SSL protected site. I therefore tried the same very simple steps to try and get Crypt Server running as an SSL site. Unfortunately while I am able to access Crypt Server via a https URL it does not show the expected padlock symbol and this suggests it is not being encrypted. I have tried a test version of the same virtualhost file for Apache using instead a simple 'hello world' html file and this works fine with the padlock using the same hostname and certificates, but just adding the WSGIScriptAlias to run the WSGI instead of the html file and the padlock disappears. My MunkiWebAdmin virtualhost works fine and has the expected padlock.

Both Crypt Server and MunkiWebAdmin are using Apache, both are using valid SSL certificates, both are written using Python both use mod_wsgi and according to the Crypt Server documentation it is even based on some of the code from MunkiWebAdmin except it is apparently not being encrypted although it is definitely using https.

I am using VirtualEnv for both MunkiWebAdmin and Crypt Server.

Any suggestions from anyone?

[Allister Banks]

Hey Mr. Lockwood,

No recommendations off the bat besides verifying that the site is really not presenting a cert in any browser(Firefox can respond differently), but I'd just go ahead and file an issue on the Crypt github repo, as that's the most appropriate place I can think of to have this concern addressed.

Allister 

[John Lockwood]

Ok Allister good suggestion to try with Firefox. It turns out I had made a silly error when I created the SSL certificate. I have created a replacement certificate and tested it again.

Now Firefox is happy, as is apparently Google Chrome, however I am still getting a partial problem with Safari.

When I go to the initial login page e.g. https://crypt.domain.com then Safari is still not showing a padlock, both Firefox and Chrome do. After I login using Safari and go to a sub-page of the site then Safari does show the padlock but if I go back up to the main menu of the site in Safari then the padlock disappears again.

Any more suggestions?

[John Lockwood]

Ok the problem is now fully resolved.

Firstly I had originally made a silly mistake when creating the SSL certificate used for this site, however even after I replaced that Safari was not happy, it turns out that while Safari was more obviously complaining the same second problem affected all browsers. It turns out the web-app code for Crypt Server includes a hard-coded URL to load an external file via a http link. This resulted in the page containing a mixture of https and http URLs and this is 'a bad thing'. I found the http URL in the code and fortunately the same resource is available via a https URL so it was a simple matter to edit that line to make it a https URL.

For anyone interested the URL is in the file

/usr/local/crypt_env/crypt/templates/base.html

and the URL is http://fonts.googleapis.com/css?family=Lato:400,700 which needs changing to https://fonts.googleapis.com/css?family=Lato:400,700

Now Safari shows the padlock icon :)

If you install the Crypt Server software in the default manner of not using https then you don't hit this problem.