How to provide separate SSL certificate for specified path - ruby-on-rails

I have Rails app running behind Nginx using Passenger. SSL is configured at Nginx side in server block and works fine. Now I need specify separate certificate on certain path, say for https://example.com/blablabla.
I need this because of constrains of some system I working with.

A certificate identifies a server and not a path inside the server. The path is only known after the SSL handshake is done, that is after the certificate was already provided. Thus it is not possible to have one certificate for a specific path and another certificate for another path and the same hostname.

Related

Need Help setting up Certificate Chain for a LAMP stack with nginx proxy docker

I have a LAMP Stack docker set up with:
Nginx proxy Docker https://hub.docker.com/r/jwilder/nginx-proxy
Apache Stack
Everything is working fine except that when we check our SSL on ssllabs.com, we are getting report of: certificate chain missing.
If you are familiar working with this nginx proxy docker and LAMP stack, i need your advise to get this chain certficate up.
Just wonder if you can help me with this.
when you get a certificate from a certificate authority(for example let's encrypt), they will give you some files. between those files you have a key and a cert and a bundle file. all you need to do is just to append your bundle file contents to your cert file and then you will end up with a file known as fullchain file. then replace the address of this file with the address of your cert file in your configuration and do a restart. (browsers will automatically complete the chain even if your not provided it, but tools like curl want your server to explicitly mention the chain of your cert.)

How to handle https for a containerized OIDC server in local development?

I have an OpenID Connect server (OpenIDdict) and an asp.net core webapp in containers behind a TLS termination proxy. In production, all communication between the webapp and the OIDC server can go through the 'outside', based on their public names. However, in development, I'm using self signed certificates that aren't trusted by the containers running the apps, only by my host pc. Because of that, in development, the webapp can redirect the browser to the OIDC server just fine, but when it, for instance, needs to call the token endpoint, it will fail, because the certificate isn't trusted.
A possible solution would be to have the server to server communication go through the internal container network, but I haven't been able to get that to work. Is there a way to make the asp.net core OpenID Connect middleware use a different url (and protocol) for server to server communication?
Another solution would be to install the self signed certificates in the containers, but because that's only needed in development, it seems bad practice to burden the images with that. Is that assessment correct?
I'm hoping I'm missing the most obvious solution. Any ideas?
This is what I ended up doing:
I added a custom domain to the hosts file of my pc, pointing to itself.
Using openssl, I created a rootDevCA.crt and added it to the trusted root on my pc and in all the container images.
With that root certificate, I signed a new certificate for the custom domain and supplied that (including its key) to the proxy.
As long as I keep the key file for the root certificate far away from my source code, there should be no security issues.

How to properly set up HTTPS for OnlyOffice

Following OnlyOffice's help center's instructions leads to the creation of security certificate declared as invalid by browsers, as it is self-signed.
The intention is to use OnlyOffice's server on Docker for NextCloud, which runs properly already on another server.
Currently, the certificates have been created in the directory suggested by the instructions:
/app/onlyoffice/DocumentServer/data/certs# ls
dhparam.pem onlyoffice.crt onlyoffice.csr onlyoffice.key
I have followed all the given steps, and it does not work.
Is there a way to use LetsEncrypt instead of self-signed certificates?
I am not an IT management person, I am a simple developer trying to use OSS to not use Google Docs etc. Take this into consideration when providing guidance, as what you may take for granted, I may not.
The problem that you are having is that a self-signed certificate is not trusted by anyone (anything).
You can create your own certificate using Let's Encrypt. You will either need to create a special file on your server or create a TXT record on your domain's DNS server.
Certbot Download
The following is for Linux. If you are running on Windows, try using ManuaLE (more info below)
Go to let's encrypt and download certbot. Then from the command line:
certbot certonly --manual --preferred-challenges dns -d mydomain.com
This command will prompt you to create a TXT record on your DNS server. After creating the record wait a few minutes before pressing ENTER to continue.
After your SSL certificate is created, copy and rename them to your desired location listed in your question.
Instructions for ManuaLE for Windows.
ManuaLE Download
manuale authorize mydomain.com
manuale issue mydomain.com
After your SSL certificate is created, copy and rename them to your desired location listed in your question.
Please restart the container, the DocumentServer will switch to https config.
Open the address of the DocumentServer in your browser. If that is available, it can be connected to your NextCloud instance.

Docker compose: nginx with self SSL cert not working

I'm trying to create a development enviroment using nginx, mysql and php. I want to have a self signed SSL certificate configured because in productions I'll use ssl connections as well.
For php and mysql I had no problems, but for nginx and struggling to make it work. I'm using MarvAmBass/docker-nginx-ssl-secure image (https://github.com/MarvAmBass/docker-nginx-ssl-secure) but when accessing the site I get the SEC_ERROR_UNKNOWN_ISSUER error in Firefox (invalid ssl certificate).
I've replaced the CN var in the command to create the self certificate but doesn't seem to affect.
I don't know if maybe there's another image I can use (I'm pretty new to the docker world).
Thanks in advance
If the certificate is not authorized by the valid CA(Certificate Authority), then you will notice SEC_ERROR_UNKNOWN_ISSUER on Mozilla. It is recommended to use the certificates provided by your CA(Certificate Authority).

Use a trusted CA signed certifiicate on a local rails server

This might sound a little stupid, but I am trying to test out IOS device enrollment and I want to use a trusted CA(eg Verisign,Comodo) signed certificate to add to my localhost rails webrick server. I do not want to add a self signed certificate because I need to test a very particular scenario. Is there a way to do this? I know domain controller validation will fail if I try to create the CA signed certificate on a website like Comodo and I cant use a certificate I already have for my production server since its bound to that domain. Is there a way to workaround this and create a production level SSL certificate and use it for development server?
You can use your existing production certificates for your local setup, and use a local DNS server (such as BIND) to resolve the domain name to your local ip address instead of your production servers ip address.
Update:
Install BIND (or whatever DNS server software you like) on some computer on your network, let us say 192.168.100.10.
Add www.myprodserver.com to resolve to 192.168.100.100.
Now on your local machine (assume its a MacBook), go to your network settings and add 192.168.100.10 as the only DNS server.
Now run ping www.myprodserver.com and make sure it is resolving to 192.168.100.100.
This is almost equivalent (but not exactly) to using /etc/hosts file to resolve domain names to ip addresses .
(all ip addresses and domain names used above are just for example)
Also, I think you will need something better than WEBRick to handle SSL certificates. You can use nginx to offload SSL and proxy to WEBRick

Resources