We are a very, very small company and we create free applications (mediacenter audio & video - Homecast).
The application create a local http server, work great but we soon will have problem to use for exemple ChromeCast as version 68 of Chrome will not allow us to send Chromecast session from http.
Android App are also available to connect to this media center (HomeCast)
We also have web application in developpement that use the local application ( a live TV transcoding for french subcribers of Free) and more projet (like a raspeberry pi chromecast like client and a smarttv player). All work good with HTTP but not with https ( mixed content problem of course)
I search the best way to enable https with local application (HomeCast), this will really essential, allowing the application to communicate with https websites and services.
Applications are already register at startup with our server and our discovery service work good on HTTP.
HomeCast is fully able to handle HTTPS, our web site is powered with it in HTTPS.
I’m not really an expert with ssl certifications and here is my first thought :
We already own a domain name *.ververt-studio.com
Each application register as ip.xxxxx.ververt-studio.com (subdomain xxxxx = unique hash key), will it be possible? is there is limits ? do i need to have an another domain name only for the application like *.homecast-ververtstudio.com.
I really thanks you to give me advises on how to do it, and if it’s possible with Let’s Encrypt.
I saw that my problem do not interest lot of people … but i continue to work hard and here where i am
Our media center is called HomeCast, so i bought a domaine homecast.app
First challenge was to deal with DNS and DDNS, so i become my own DDNS provider. I dedicaced a subset of the domaine to do the job dyn.homecast.app cos i want to be able to create a my.homecast.app to deal with dns names of the software.
Now when application is running, it’s self register with us and we create the DDNS. The software
is then accessible with this dns address like this:
local.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app for local ip ext.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app from ext ip
c1ce1bedffa54206bb2ffe44442d72d3 is and hash uuid
All is work great … but now i need to set security to with. What i would like to do is have a generic ssl
Is it possible to do this ? is with a *.homecast.app i will be able to generate a sub certificate *.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app for each app ? do i need to become my own CA ?
A wildcard certificate from Let's Encrypt does not allow you to create new certificates. If you control the DNS for homecast.app, you could get a cert for *.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app, but you'd quickly run into rate limits (at least if you have very many customers) unless homecast.app is on the public suffix list. If you control whatever system will be validating the cert for *.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app, the easiest answer is almost certainly to act as your own CA for these certs, which is what Plex does for theirs.
For more info about this process read this post (it includes the link to the form to apply for the exemption), read it carefully.
If your only purpose is to avoid LE rate limits, yes, you will never be included but you should consider the super cookies privacy problem that would be solved being included in that list, for more info Learn more about the Public Suffix List
Just in case you didn't know it, Top Level Domain app is preloaded in modern browsers to use HSTS (HTTP Strict Transport Security) so they will never try to connect to your site using http, they will use https always.
I work hard and here are news from me.
I create an Acme Client for protocol V2 in Lua. Our media embed Lua for pages generation. Lua is a great embedded language (homecast server is in C++)
SSL generation steps are the following :
1 - HomeCast register at start up with us
2 - HomeCast open Upnp port
3 - HomeCast create a LE user priv key
5 - HomeCast ask a new order for *.xxxxxxxxxxxxxxxx.dyn.homecast.app
6 - HomeCast get the dns token
7 - HomeCast update the *.xxxxxxxxxxxxxxxx.dyn.homecast.app DNS TXT with _acme-challenge token
8 - HomeCast validate the challenge & finalize
9 - HomeCast start the Secure server
It's work great ! but of course i will reach the limit of 20/w for my dyn.homecast.app domaine witch it's not usable for "production".
I link the script. It's not usable in default Lua cos i add a lot of objects to lua, but this class is 95% compatible with default lua. I struggle a bit/lot to do this (1 week of work & test) and i think it's could be usefull for others who like to get cert from lua or get clues on how i handle openssl, x509, jwt, ... in lua. There is no really working acme client v2 in lua (i don't find some ...). It's only for the DNS challenge as i only need this. Acme.lua.txt (19.3 KB)
pAcmeClient = Acme:new();
-- Stage or not
-- Create an account key
-- Load an account,key in PEM format
-- Initialize Acme
bRet, szError = pAcmeClient:init()
-- register account or check it
bRet, szErr = pAcmeClient:newAccount("mailto:email@example.com");
-- Create an order
bRet, szErr = pAcmeClient:newOrder(".xxxxxxxxxxx.dyn.homecast.app");
-- Get Token in TXT
szTxtToken = pAcmeClient:getChallengeToken2TXT();
-- Query certificate (60 is timeout)
bRet, szErr = pAcmeClient:requestCertificate(60, ".xxxxxxxxxxx.dyn.homecast.app");
-- Domaine certificate private key in PEM
-- Domaine certificate in PEM
-- Get certificate dates (in unix time)
local bRet, iStart, iEnd = pAcmeClient:getCertificateTime(pAcmeClient.mszCertificatPublic);
I'm also in contact with DigiCert for a commercial solution but i really like to do it with free community as i make free softwares and i'm ready to sponsor LE.
I'm closed to succeed ... or not ... "avisons sur place" = wait and see in french
Thanks for doing this! If you can host this somewhere other than the forum, perhaps it could be added to the list of ACME client implementations. (That is, if you think that it’s ready for other users and you don’t mind the chance that they’ll try to contact you with support requests. If you don’t want that, maybe just posting it here as an example is the best choice. )
All the traffic would then have to go through that service, which seems like it would be a significant bandwidth burden considering it does video streaming. Also users would have to trust that webservice with their data, as it would have access to the unencrypted streams.