SSL certs for a HTTP server running on EC2 instance

Hey everyone,

TLDR: The writer has created a web extension that injects a piece of code into a web page. The extension works fine on locally hosted HTTP pages but throws an error on globally hosted HTTPS pages due to content security policies that block requests made to the local host by HTTP. To fix this, the writer hosted the code on AWS and wrapped the Python socket server and HTTP server into the SSL context. However, requests made by the browser are restricted due to SSL cert issues. The writer tried to create certs for the IP address, but couldn't find a solution. The writer needs help in resolving this issue since they don't want to spend on a domain for this private project.


First of all, I'd like to start with some description about what I am doing, so I've created a web extension whose main responsibility is to inject some piece of code into the currently loaded web page (not a big task tho). This piece of code is actually a <script src=""></script> tag, this gets added to the web page's source code. The "src" contains a path of a javascript code which is basically an event listener, that listens to a few events on the web page, and performs operations according to that. Operations include making a request to a proxy server written in Python which further sends the request to an HTTPS website.

All the development of this project was done locally, so locally there were no such issues in making connections to different-2 running socket servers, injecting some piece of code, or even you know, CSP policy or something, etc. At this point in time, I was injecting the <script src="XYZ"></script> into the web pages hosted locally on the HTTP server. However, when I tried to do the same on pages hosted globally (like Github's user profile page or any HTTPS page), my web extension was able to inject the script tag successfully but when it tried to make a request to a file(XYZ) present on my local host, there I got some issues such as Content Security Policy, which says "due to the Content Security Policy, requests made to the local host by HTTP are often blocked". Then I decided to host my code on a cloud, checked some cloud hosting providers, and finally ended up with AWS.

If you want to check out how it injects the file, go here

On AWS, I wrapped the Python socket server and HTTP server into the SSL context. The basic requirements to do this are having a private key file, CSR, and a cert file which I successfully generated using OpenSSL.

Let's say when I run any of the Python "SSL" socket server or HTTP server on an AWS EC2 instance, and try to make a connection from my machine, then generally it'd result in an error, specifically saying so "SSL certs" error. To fix this issue, I downloaded the server cert file from the EC2 instance using the "scp" command and copied it to /etc/ssl/certs, then updated the ca-authorities. Then I tried making a request using curl with flags --insecure and --cacert <server_cert_file>, it was successful, the request was made, and got the response back from the server as well. However, these two flags are necessary because if you don't, this will lead to an SSL error.

Now obviously, I won't have only curl and python script for making connections to the HTTP/python socket server running on the EC2 instance, there will be some requests by the browser as well, and here I can't think of any solution to make it possible because I checked the documentation of Let's encrypt, followed the steps, got stuck at creating certs for IP address instead of a domain name, now I don't think we can creates such certificates, however, the self-signed ones are possible for testing for an IP address.

Can somebody please help me in here? Most of the requests will be coming from the browser, and the browser will definitely going to restrict the connection if there are certs issues, so there'll not be any insecure communication. I am not yet financially strong and really don't want a domain registered because this project will have little to no users communicating with it, it's kind of private tho.
Also, I've tried to add a server.crt in my Brave browser but it says the cert already exists :laughing: and still, this issue comes up

Hi @Himan10, and welcome to the LE community forum :slight_smile:

Sorry, in advance, if this will sound a bit negative.

I doubt it.
If I understand the problem correctly, you are asking for coding advice.
Like: Content Security Policy
OR
You simply don't understand TLS enough to see where the coding has gone wrong.

Either case, this is not the ideal forum.

You can afford an EC2 instance, but can't afford an FQDN?
FQDNs can be FREE - if you know where to get them [search FREE DDNS NAMES].

IMHO, I think you don't even need the EC2 instance.
You've taken a flawed design and moved it to the cloud - but it is still flawed and will continue to fail.
So, I would recommend revisiting the design process [perhaps reviewing it with someone else - who better understands TLS].

3 Likes

LetsEncrypt does not offer certificates for IP Addresses.

Other free SSL Certificates CAs do, but they may not allow ACME automation.

Using a free domain name is honestly your best option.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.