Https example setup

runejuhl edited this page Oct 26, 2012 · 3 revisions

Https example setup

Make sure you are using a release >=R14B04 as the older versions SSL OTP package has a memory leak http://erlang.2086793.n4.nabble.com/SSL-cache-delete-bug-td3614886.html

Generating certificates

Make directory to hold the certificates

In some Linux distributions, Debian/Ubuntu included, SSL certificates are usually kept in /etc/ssl/, but otherwise you can keep them in your project folder:

mkdir ssl
cd ssl

Generating private key suitable for https serving...

Some CAs require 2048 bit keys, but you may of course select whatever length suits you.

openssl genrsa -out privkey.pem -des3 2048

Generating a Certficate Signing Request (certreq.csr)

openssl req -new -key privkey.pem -out certreq.csr

Getting your certificate signed

Here, you have the option of finding a provider to sign your certificate, or acting as your own Certificate Authority and signing your certificate yourself.

Using a CA

Have a look at Wikipedia's Comparison of SSL certificates for web servers for a quick overview. Free options include CACert.org or StartSSL.

Signing it yourself

  • Generating a CA Certificate openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

  • Generating self-signed certificate openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.pem -out newcert.pem

Edit boss.config

Add this to the boss section of your boss.config:

{ssl_enable, true},
{ssl_options, [
               {cacertfile, "ssl/cacert.pem"},
               {certfile, "ssl/newcert.pem"},
               {keyfile, "ssl/privkey.pem"},
               {verify, verify_peer},
               {fail_if_no_peer_cert, false}
              ]
},

Edit your startup script

Edit boss_rebar.erl and change the following -boot start_sasl -config boss -s reloader -s boss to -boot start_sasl -config boss -s reloader -s inets -s ssl -s boss on line 136 for regular (production) start and/or line 160 for development start.