Running Sandstorm using a self-signed SSL certificate

[Arjan]

Continuing from https://groups.google.com/forum/#!topic/sandstorm-dev/-CvczbyYgmo so as not to hijack that thread.

I'm running Sandstorm for personal use/testing so I thought I'd set it up with a self-signed certificate. Unfortunately this too isn't really workable, because when you visit a grain you're at https://sandstorm.example.com/grain/grainID, while it's trying to load the app from https://randomstring.sandstorm.example.com.
At least in Firefox it won't let you accept the self-signed certificate, presumably because it's for a different subdomain?
I tried accepting the certificate by opening https://randomstring.sandstorm.example.com in a separate tab, but that gives "Error: Unauthorized [403]".
Arjan

You'll need to regenerate your self-signed certificate as a wildcard cert, e.g. with common name set to `*.sandstorm.example.com`. You should be able to do that. You'll also either need to set `sandstorm.example.com` as an alternative name on the certificate or change you BASE_URL to be in the wildcard, e.g. `www.sandstorm.example.com`.
We're working on making this easier.
-Kenton

I was using a self-signed certificate for *.example.com, so it should work for both sandstorm.example.com and randomstring.sandstorm.example.com (I also tried your suggestion to be sure). I believe the problem has to do with browser security precautions, where you can accept a self-signed certificate on a regular page, but it does not give you the option to accept it when it's loading the subdomain in an iframe. I.e. where Firefox usually give you a screen with "Technical details" and "I understand the risks - Add Exception", for a grain it loads the outer page OK, but the iframe presents only the message "Technical details" and not the "Add Exception" option.

[David Renshaw]

I also found it challenging to convince Firefox to accept a
self-signed certificate, when I needed to do it last year.
I did eventually get it working. I don't remember all the details, but
I did write down that I needed to add my CA certificate to:
Firefox -> Preferences -> Advanced -> Certificates -> View
Certificates -> Authorities

Also, it might be easier to set up if you set
`WILDCARD_HOST=sandstorm-*.example.com`.

- David

[Kenton Varda]

Hi Arjan,

On Tue, Mar 24, 2015 at 2:17 PM, Arjan <arjan...@gmail.com> wrote:

I was using a self-signed certificate for *.example.com, so it should work for both sandstorm.example.com and randomstring.sandstorm.example.com

Unfortunately, wildcard certs only apply to one level of hostnames. `*.example.com` matches `foo.example.com` but does *not* match `bar.foo.example.com`.

 

(I also tried your suggestion to be sure). I believe the problem has to do with browser security precautions, where you can accept a self-signed certificate on a regular page, but it does not give you the option to accept it when it's loading the subdomain in an iframe. I.e. where Firefox usually give you a screen with "Technical details" and "I understand the risks - Add Exception", for a grain it loads the outer page OK, but the iframe presents only the message "Technical details" and not the "Add Exception" option.

Indeed, it could be that Firefox is adding an exception limited to one hostname rather than fully trusting the certificate. I think you should be able to accomplish the latter by going into the firefox settings, finding the trusted certificate list, and importing your certificate there (which is different from adding a per-site exception).

-Kenton

[Arjan Mossel]

Unfortunately, wildcard certs only apply to one level of hostnames. `*.example.com` matches `foo.example.com` but does *not* match `bar.foo.example.com`.

That's good to know.

I haven't yet managed to convince Firefox to actually accept my self-signed cert as Authority, I'll get back to that later.

- Arjan

[Arjan]

I had prevously just created a self-signed certificate, but apparently it is not possible to accept wildcards under Firefox's SSL "servers" tab, and although you can add a self-signed cert under Authorities, it does not allow you to use it for accessing websites, only for signing other certificates. Error code: mozilla_pkix_error_ca_cert_used_as_end_entity. (Chromium does allow the latter).

I've now used a self-signed Root CA to sign my wildcard certificate instead, which does work.