Category Archives: security

SSL for your local development server

So, some of you may have gotten MAMP to work happily with self-generated SSL certificates. It’s a bit tricky and I’ll assume you’ve got that working.

… a quick tip on getting OS X to shut down the default installed apache so Mamp can run on port 80 and 443:
(found here… https://gist.github.com/jfloff/5138826 )

First of all you need to be able to run MAMP in port 80. This is a “heat check” if you don’t have any process jamming http ports. You can check it like this:

sudo lsof | grep LISTEN

If you do happen to have any process with something like this *:http (LISTEN), you are in trouble. Before with adventure check if it isn’t MAMP itself (yeah, you should close that beforehand)

ps If you don't see MAMP, you are in good hands, I have just the thing for you:
# I've forced the removal of the job
$ launchctl remove org.apache.httpd

# and load it again
$ launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist

# and unload it again
$ launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist

Now you should be able to use port 80 (and almost any other) in MAMP. Just go to MAMP > Preferences > Ports Tab and click the Set to default Apache and MySQL ports.

….now back to SSL certs

However, there’s a new wrinkle. Chrome and FF both have decided that self-signed certificates need to be of the Version 3 variety, rather than the plain old ones generated by MAMP. I ran into an issue where chrome was complaining about a missing subjectAltName in the certificate that I had set up.

So, here’s the article I used to get my stuff sort of working:

https://alexanderzeitler.com/articles/Fixing-Chrome-missing_subjectAltName-selfsigned-cert-openssl/

Here’s another version of that:

Create Your Own SSL Certificate Authority for Local HTTPS Development

OMG, you say, that’s like waaaaaaa? No worries, I’ll help break it down here and do it a little differently.

They have you create all sorts of scripts. I’m not sure why, probably because it’s the right way to do it, but here’s the straight forward way to set up.

What you are doing is creating your own CA certificate (aka a certificate authority), then using that to create a certificate for your site that needs ssl.

In the following directions, you need to replace YOURLOCALSITEDOMAIN with the domain your are setting up on your MAMP server. You know, like mysite.dev, or sams-site.dev, etc…

Go to the directory, where you store your ssl certificates for MAMP and do the following:

STEP 1
On the command line type out the following:

openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

– this sets your server up to be a CA certificate issuer
– it’s going to ask you a bunch of questions about the country, state, city, and other things. Just answer them with your own info 🙂 The questions will be similar to the parameters you see in the [dn] section in the code below.

STEP 2
Create a file called YOURLOCALSITEDOMAIN.csr.cnf with the following:

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=US
ST=New York
L=Rochester
O=End Point
OU=Testing Domain
emailAddress=your-administrative-address@your-awesome-existing-domain.com
CN = YOURLOCALSITEDOMAIN

– This is a configuration file that will be used when generating your specific site certificates. Change the ST, L, email parameters to whatever you want. I’d go ahead and use your own email.

STEP 3
Then, create a file called v3.ext with the following:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = YOURLOCALSITEDOMAIN

– This is the file that is used by the CA issuer to ensure your cert is version 3 and offers up the named domain as you see in the parameter DNS.2.

STEP 4
Then generate the certificates with this!!! On the command line type out the following (don’t forget to replace the YOURLOCALSITEDOMAIN with whatever development domain you are using:

openssl req -new -sha256 -nodes -out YOURLOCALSITEDOMAIN.csr -newkey rsa:2048 -keyout YOURLOCALSITEDOMAIN.key -config <( cat YOURLOCALSITEDOMAIN.csr.cnf )

openssl x509 -req -in YOURLOCALSITEDOMAIN.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out YOURLOCALSITEDOMAIN.crt -days 5000 -sha256 -extfile v3.ext

Now, when you need to get a second site working, you'll repeat steps 2 through 4. HOWEVER, you won't recreate the v3.ext file. You'll just add a new DNS parameter with your new domain. So, in the above example, I'd be adding DNS.3 = NEWSITEDOMAIN. You'd add a new DNS parameter for each new secure site you do.

STEP 5
Now, open your keychain access app in OS X and add your new certs, then set them to always be trusted. That way your mac will stop throwing warnings. Also, if you are looking at your site in the CodeKit Bonjour URL, then you'll need to add the Temp SSL certificate Codekit creates. You'll find that in the My Certificates section of the Keychain Access app.

I also ran into a thing with iThemes Security. The .htaccess rules were causing redirect loops for the SSL. You could get to the home page, but no secondary pages. Secondary pages resulted in a 500 error. Replacing the iThemes Security SSL feature with the plugin, 'really simple ssl', then clearing out the config that iThemes put in the .htaccess file cleared that right up.

OMG, that made your brain hurt, right? It made mine hurt for a bit too, but hopefully all is working for you now.