How to actually use the certs?

[j1elo]

Hi, totally newbie question here. I'm not a web developer and this is the first time I configure self-signed certificates, so bear with me. Also I'd like to propose adding a section in the documentation for people in my situation.

This is what I'm currently doing, step by step command-line style. Server is an Amazon AWS machine with Ubuntu 16.04, in which I'm doing some WebRTC tests; Chrome and Firefox will refuse to allow webcam and microphone access to insecure sites (except for localhost), so I need to serve an HTTPS page from my test server:

# [On DEV] Set up 'mkcert'
curl -o mkcert -L 'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-linux-amd64'
chmod +x mkcert

# [On DEV] Create a CA used for signing certificates, copy it to CLIENTs
sudo apt-get install -y libnss3-tools
./mkcert -install
scp "$(./mkcert -CAROOT)/rootCA.pem" user@${LINUX_CLIENT}:
scp "$(./mkcert -CAROOT)/rootCA.pem" user@${MAC_CLIENT}:

# [On DEV] Create certificate for needed domains, copy it to SERVER
./mkcert '*.compute.amazonaws.com' localhost 127.0.0.1
scp ./_wildcard.compute.amazonaws.com+2.pem     user@${SERVER}:cert.pem
scp ./_wildcard.compute.amazonaws.com+2-key.pem user@${SERVER}:key.pem

# [On SERVER] Start HTTPS server using Node.js
curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
sudo apt-get install -y nodejs
sudo npm install -g http-server
http-server -p 8080 --ssl --cert ~/cert.pem --key ~/key.pem ~/web

# [On LINUX_CLIENT] Set up 'mkcert', install CA
curl -o mkcert -L 'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-linux-amd64'
chmod +x mkcert
sudo apt-get install -y libnss3-tools
CAROOT="$PWD" ./mkcert -install

# [On MAC_CLIENT] Set up 'mkcert', install CA
curl -o mkcert -L 'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-darwin-amd64'
chmod +x mkcertm
brew install nss
CAROOT="$PWD" ./mkcert -install

At this point, I open this URL in Chrome:
https://ec2-11-22-33-44.region.compute.amazonaws.com:8080/

But it still shows a warning page right before loading, and after dismissing the warning, a RED warning with "Not secure" text is shown in the address bar.

What I expected is that Chrome loads the page without any security warnings and with a GREEN lock in the address bar.

What steps I'm missing to make this work as intended?

I wanted to do this because the name that AWS gives your machine depends on the region of that particular machine and it also changes every time the machine starts up, so the best would be to have a certificate that doesn't mind what is the actual name of the subdomain, and be able to use the generated cert in several machines.

---- UPDATE ----

The reason for this problem is that a restriction exists in how the wildcard certificates work by spec, not anything to do specifically with mkcert. It turns out that a wildcard such *.example.com won't match sub-subdomains such as a.b.example.com.

Solution is to use wildcards for only one subdomain level:

# [On DEV] Create certificate for needed domains, copy it to SERVER
./mkcert '*.region.compute.amazonaws.com' localhost 127.0.0.1
scp ./_wildcard.region.compute.amazonaws.com+2.pem     user@${SERVER}:cert.pem
scp ./_wildcard.region.compute.amazonaws.com+2-key.pem user@${SERVER}:key.pem

[j1elo]

More info:

Chrome says this in its warning screen:

NET::ERR_CERT_COMMON_NAME_INVALID
This server could not prove that it is ec2-11-22-33-44.region.compute.amazonaws.com; its security certificate is from *.compute.amazonaws.com.

And Firefox says something similar:

ec2-11-22-33-44.region.compute.amazonaws.com uses an invalid security certificate.
The certificate is only valid for the following names: *.compute.amazonaws.com, localhost, 127.0.0.1
Error code: SSL_ERROR_BAD_CERT_DOMAIN

Does this mean that it's not possible to create certificates for AnySubdomain.example.com?

[nickkaczmarek]

I may be misunderstanding this, but since you're hitting your site from the amazonaws.com tld, mkcert won't work for this. You'll probably need to use let's encrypt or something and put that certificate on your aws server. Someone who knows more may have more insight, but that's how I understand this. This might be helpful, https://docs.aws.amazon.com/acm/latest/userguide/setup-website.html

[neoKushan]

I don't believe you're using the tool as it was intended, as it's very much aimed at generating certs for local development. For deploying to AWS (or any server, really) you are best looking into something like Let's Encrypt for genuine SSL (or using the SSL cert that the cloud provider usually gives you). I don't know enough about aws to help with this, but there's plenty of documentation out there.

[j1elo]

I see no reason why these certs wouldn't work for external machines; even the README of this project starts by showing how to generate a cert for such one! (example.com)
$ mkcert example.com '*.example.org' myapp.dev localhost 127.0.0.1 ::1

I'm not a web dev and had zero idea of how to configure a certificate, so I just wanted to have a pair of files that can be copied to whatever machine, regardless of it being local or remote, and instantly have a valid HTTPS connection to them... well, that was the objective. Maybe I should have looked into Let's Encrypt for the AWS machine.

In any case, I actually made it work without any further problem whatsoever. The reason for my problem is that a restriction exists in how the wildcard certificates work by spec, not anything to do specifically with mkcert. It turns out that a wildcard such *.example.com won't match sub-subdomains such as a.b.example.com. As simple as that.

So I used mkcert to generate a certificate for *.region.compute.amazonaws.com. Problem solved.

I won't close this issue yet to allow the author see it and consider my proposal of adding a section in the documentation that talks about this use case. @FiloSottile thank you for this tool!

[Suleman-Elahi]

Same question here.... how to use this.... everytime it says "ERROR: xyz is not a valid hostname or IP"

[nickkaczmarek]

@Suleman-Elahi DId you try it with an administrator command prompt?

[Suleman-Elahi]

Doesn't help

[j1elo]

That error doesn't depend on running with or without Administrator CMD. It happens because a regular expression fails to match.

Note how the error says: ERROR: "'*.example.org'" it is including the single quotes inside the double quotes. Of course, '*.example.org' is an invalid hostname. Try *.example.org without quotes. Or with double quotes. It all depends on how the CMD interpreter treats simple (and double) quotes in call arguments.

That's probably a documentation bug in mkcert. Please handle it in a new issue, and don't derail already existing ones such as this one.

[Suleman-Elahi]

Thank you very much !!!! @j1elo