SSL for local applications


#1

Hi,

We are a very, very small company and we create free applications (mediacenter audio & video - Homecast).

The application create a local http server, work great but we soon will have problem to use for exemple ChromeCast as version 68 of Chrome will not allow us to send Chromecast session from http.

Android App are also available to connect to this media center (HomeCast)

We also have web application in developpement that use the local application ( a live TV transcoding for french subcribers of Free) and more projet (like a raspeberry pi chromecast like client and a smarttv player). All work good with HTTP but not with https ( mixed content problem of course)

I search the best way to enable https with local application (HomeCast), this will really essential, allowing the application to communicate with https websites and services.
Applications are already register at startup with our server and our discovery service work good on HTTP.

HomeCast is fully able to handle HTTPS, our web site is powered with it in HTTPS.

I’m not really an expert with ssl certifications and here is my first thought :

We already own a domain name *.ververt-studio.com

Each application register as ip.xxxxx.ververt-studio.com (subdomain xxxxx = unique hash key), will it be possible? is there is limits ? do i need to have an another domain name only for the application like *.homecast-ververtstudio.com.

I really thanks you to give me advises on how to do it, and if it’s possible with Let’s Encrypt.

John


#2

@jsha, do you have some up-to-date advice for this situation? I know we’ve had several other discussions related to this kind of thing.


#3

Hi friends,

I saw that my problem do not interest lot of people … but i continue to work hard and here where i am :slight_smile:

Our media center is called HomeCast, so i bought a domaine homecast.app
First challenge was to deal with DNS and DDNS, so i become my own DDNS provider. I dedicaced a subset of the domaine to do the job dyn.homecast.app cos i want to be able to create a my.homecast.app to deal with dns names of the software.

Now when application is running, it’s self register with us and we create the DDNS. The software
is then accessible with this dns address like this:

local.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app for local ip
ext.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app from ext ip

c1ce1bedffa54206bb2ffe44442d72d3 is and hash uuid

All is work great … but now i need to set security to with. What i would like to do is have a generic ssl
for *.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app.

Is it possible to do this ? is with a *.homecast.app i will be able to generate a sub certificate *.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app for each app ? do i need to become my own CA ?

Thanks a lot


#4

A wildcard certificate from Let’s Encrypt does not allow you to create new certificates. If you control the DNS for homecast.app, you could get a cert for *.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app, but you’d quickly run into rate limits (at least if you have very many customers) unless homecast.app is on the public suffix list. If you control whatever system will be validating the cert for *.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app, the easiest answer is almost certainly to act as your own CA for these certs, which is what Plex does for theirs.


#5

Yes … i google a bit to see my options … look sad for me.
I think i will never be allowed to be in public suffix list so other options is :slight_smile:

  • Become my own CA but the problem will be to install my root certificat in user webbrowser manually what will not be possible for Chromecast or Smart tv.
  • Be in business with a DDNS provider that is part of the public list to allow me to register my software clients by script and than register to Let Encript but i will loose the homecast.app
  • Be in business with Let’s encrypt … don’t now if it’s possible
  • Use DigiCert multi domain ssl with wildcart option … about 500$/year.

It’s really a shame that i need third part provider to achieve this, i spend so many nights on this projet …

I will aware you of how i handle this issue.


#6

An option you haven’t mentioned is seeking a rate limit exemption from LE. I’m not sure what that process looks like, though.


#7

Hi @John_at_ververt,

For more info about this process read this post (it includes the link to the form to apply for the exemption), read it carefully.

If your only purpose is to avoid LE rate limits, yes, you will never be included but you should consider the super cookies privacy problem that would be solved being included in that list, for more info https://publicsuffix.org/learn/

Just in case you didn’t know it, Top Level Domain app is preloaded in modern browsers to use HSTS (HTTP Strict Transport Security) so they will never try to connect to your site using http, they will use https always.

Good luck,
sahsanu


#8

yes i know that .app are https only and i only want to connect with https , if the user need to connect without it’s possible to use local ip to do this.

Https for my softwares are only need to use thrid part devices like chromecast or smarttv from within my app.


#9

@jsha, would you be willing to opine on this situation?


#10

Hello friends,

I work hard and here are news from me.
I create an Acme Client for protocol V2 in Lua. Our media embed Lua for pages generation. Lua is a great embedded language (homecast server is in C++)

SSL generation steps are the following :
1 - HomeCast register at start up with us
2 - HomeCast open Upnp port
3 - HomeCast create a LE user priv key
5 - HomeCast ask a new order for *.xxxxxxxxxxxxxxxx.dyn.homecast.app
6 - HomeCast get the dns token
7 - HomeCast update the *.xxxxxxxxxxxxxxxx.dyn.homecast.app DNS TXT with _acme-challenge token
8 - HomeCast validate the challenge & finalize
9 - HomeCast start the Secure server

It’s work great ! but of course i will reach the limit of 20/w for my dyn.homecast.app domaine witch it’s not usable for “production”.

I link the script. It’s not usable in default Lua cos i add a lot of objects to lua, but this class is 95% compatible with default lua. I struggle a bit/lot to do this (1 week of work & test) and i think it’s could be usefull for others who like to get cert from lua or get clues on how i handle openssl, x509, jwt, … in lua. There is no really working acme client v2 in lua (i don’t find some …). It’s only for the DNS challenge as i only need this.
Acme.lua.txt (19.3 KB)

Main functions

pAcmeClient = Acme:new();
– Stage or not
pAcmeClient:setDebug(true);
– Create an account key
pAcmeClient:createAccountKey();
– Load an account,key in PEM format
pAcmeClient:setAccountKey(szData);
– Initialize Acme
bRet, szError = pAcmeClient:init()
– register account or check it
bRet, szErr = pAcmeClient:newAccount("mailto:contact@ververt-studio.com");
– Create an order
bRet, szErr = pAcmeClient:newOrder(".xxxxxxxxxxx.dyn.homecast.app");
– Get Token in TXT
szTxtToken = pAcmeClient:getChallengeToken2TXT();
– Query certificate (60 is timeout)
bRet, szErr = pAcmeClient:requestCertificate(60, "
.xxxxxxxxxxx.dyn.homecast.app");
– Domaine certificate private key in PEM
pAcmeClient.mszCertificatPrivate
– Domaine certificate in PEM
pAcmeClient.mszCertificatPublic
– Get certificate dates (in unix time)
local bRet, iStart, iEnd = pAcmeClient:getCertificateTime(pAcmeClient.mszCertificatPublic);

I’m also in contact with DigiCert for a commercial solution but i really like to do it with free community as i make free softwares and i’m ready to sponsor LE.

I’m closed to succeed … or not … “avisons sur place” = wait and see in french
++


#11

Here is a modified version of my lua ACME client with a better handling of a pending order that encounter a dns challenge problem

acme.lua.txt (19.5 KB)

This script can create/renew certificate really easily .! and it’s working good !


#12

Hi @John_at_ververt,

Thanks for doing this! If you can host this somewhere other than the forum, perhaps it could be added to the list of ACME client implementations. (That is, if you think that it’s ready for other users and you don’t mind the chance that they’ll try to contact you with support requests. If you don’t want that, maybe just posting it here as an example is the best choice. :slight_smile:)


#13

[quote=“John_at_ververt, post:10, topic:60055”]
It’s work great ! but of course i will reach the limit of 20/w for my dyn.homecast.app domaine witch it’s not usable for “production”.[/quote]

Isn’t it possible that you use subdomains like

local-c1ce1bedffa54206bb2ffe44442d72d3-dyn.homecast.app
ext-c1ce1bedffa54206bb2ffe44442d72d3-dyn.homecast.app

A single *.homecast.app - Certificate would do the job.


#14

Unfortunately that violates the LetsEncrypt TOS because the private key would distributed to all downloaders, so it would be revoked.


#15

I think about it … but i would need to distribute the private key of the certificate that will be a drama for every ssl authority.

Unfortunately, there is no easy way to solve my problem, i need to be thrust by a certificate authority and i think with web security enforcement other than me will have this kind of trouble.


#16

Yes … i could do this, i can even do better, convert this class to a pure lua compatible script and host it online. I will do this next week and aware you when done.


#17

You could share it with the OpenResty community; someone could turn it into something like the go autocert module.


#18

That’s very kind of you. Thanks! I’m sure it will be of use to other people.


#19

Yes. But is it possible to change the application? So that a webservice (with this certificate and without distribution) can do the (modified) job?


#20

All the traffic would then have to go through that service, which seems like it would be a significant bandwidth burden considering it does video streaming. Also users would have to trust that webservice with their data, as it would have access to the unencrypted streams.