How to generate a certificate for a websocket server running on a linode instance

Eskibrew · June 10, 2020, 1:49pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: I have an angular app (domain = scoutgames.online) which uses websockets to contact a backend server which is running on a different server (linode instance 109.74.193.127 on port 3000).

I ran this command: N/A

It produced this output: N/A

My web server is (include version): it’s a python3 script running on a linode instance:
start_server = websockets.serve(server.ws_handler, 109.74.193.127, 3000, ssl=ssl_context)

The operating system my web server runs on is (include version): Ubuntu 20

My hosting provider, if applicable, is: Godaddy for the angular app and a linode instance for the websocket server.

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel on the GoDaddy server. Direct root access on the linode server.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.40.0

I’m out of my depth at the moment and would appreciate some help. I had this working fine on HTTP but when I changed to HTTPS, I ran in to problems.

I was able to create an SSL certificate for the GoDaddy server using ZeroSSL and change the websocket to use wss: instead of ws:. So far so good. I also changed the python server script on the linode to include ssl_context.

The response I got on the browser is “Can’t connect to server” and the console shows SSL_ERROR_BAD_CERT_DOMAIN so I can see there is a problem at the server end. As an experiment I created a self signed certificate and then the browser message changed to be MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT which is sensible.

The python websocket server on linode therefore seems to be working but the certificate is incorrect. I am stuck trying to work out how to generate a suitable certificate for the python websocket server since it’s not on a specific domain, it’s just an IP address which the angular app can connect to.

If anyone can tell me where I’m going wrong that would be great.

JuergenAuer · June 10, 2020, 2:02pm

Hi @Eskibrew

do you use the ip address or the domain name to connect?

If you change the certificate and if the error message changes, you have found the correct place.

But that's

only a part of the problem. The client must use the domain name, not the ip address to connect.

Eskibrew · June 10, 2020, 2:22pm

Ah thank you

Currently in the angular app, I am specifying the IP address of the websocket server.

Ok, that sounds promising then.

I'm confused here... The client is a web app (Angular single page application) hosted on a GoDaddy webserver. The DNS settings for the scoutgames.online domain point to this webserver and therefore pages are served. This client contacts a backend websocket server (written in python) which is running on a Linode instance. I have the IP address for the Linode instance but there is no domain associated with it.

Before switching to HTTPS, everything was working as I expected with the angular app specifying the IP address of the backend websocket server in the connection:
this.wsocket = new WebSocket('wss://109.74.193.127:3000');

I've never before tried something like this so I freely admit I might be going about it the wrong way - any advice is very welcome, thanks

Are you saying that I need to have a second domain configured which points to the linode instance?

JuergenAuer · June 10, 2020, 2:26pm

That

requires a certificate with an ip address.

But currently, you can't create Letsencrypt certificates with ip addresses, so the result is expected.

You must use a domain name to connect so you can use a certificate with a domain name.

Eskibrew · June 10, 2020, 2:34pm

Ok, thank you - you’ve clarified my problem
I’ll see about adding another domain and try again.

JuergenAuer · June 10, 2020, 2:35pm

You don’t need a new domain. Add a subdomain of an existing domain name, that’s enough.

Eskibrew · June 10, 2020, 2:36pm

Oh ok, brilliant - thank you.

Eskibrew · June 10, 2020, 6:54pm

JuergenAuer, I now have it working! - thanks so much for your help, it is much appreciated.

system · July 10, 2020, 6:54pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.