SSL for local applications


#1

Hi,

We are a very, very small company and we create free applications (mediacenter audio & video - Homecast).

The application create a local http server, work great but we soon will have problem to use for exemple ChromeCast as version 68 of Chrome will not allow us to send Chromecast session from http.

Android App are also available to connect to this media center (HomeCast)

We also have web application in developpement that use the local application ( a live TV transcoding for french subcribers of Free) and more projet (like a raspeberry pi chromecast like client and a smarttv player). All work good with HTTP but not with https ( mixed content problem of course)

I search the best way to enable https with local application (HomeCast), this will really essential, allowing the application to communicate with https websites and services.
Applications are already register at startup with our server and our discovery service work good on HTTP.

HomeCast is fully able to handle HTTPS, our web site is powered with it in HTTPS.

I’m not really an expert with ssl certifications and here is my first thought :

We already own a domain name *.ververt-studio.com

Each application register as ip.xxxxx.ververt-studio.com (subdomain xxxxx = unique hash key), will it be possible? is there is limits ? do i need to have an another domain name only for the application like *.homecast-ververtstudio.com.

I really thanks you to give me advises on how to do it, and if it’s possible with Let’s Encrypt.

John


#2

@jsha, do you have some up-to-date advice for this situation? I know we’ve had several other discussions related to this kind of thing.


#3

Hi friends,

I saw that my problem do not interest lot of people … but i continue to work hard and here where i am :slight_smile:

Our media center is called HomeCast, so i bought a domaine homecast.app
First challenge was to deal with DNS and DDNS, so i become my own DDNS provider. I dedicaced a subset of the domaine to do the job dyn.homecast.app cos i want to be able to create a my.homecast.app to deal with dns names of the software.

Now when application is running, it’s self register with us and we create the DDNS. The software
is then accessible with this dns address like this:

local.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app for local ip
ext.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app from ext ip

c1ce1bedffa54206bb2ffe44442d72d3 is and hash uuid

All is work great … but now i need to set security to with. What i would like to do is have a generic ssl
for *.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app.

Is it possible to do this ? is with a *.homecast.app i will be able to generate a sub certificate *.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app for each app ? do i need to become my own CA ?

Thanks a lot


#4

A wildcard certificate from Let’s Encrypt does not allow you to create new certificates. If you control the DNS for homecast.app, you could get a cert for *.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app, but you’d quickly run into rate limits (at least if you have very many customers) unless homecast.app is on the public suffix list. If you control whatever system will be validating the cert for *.c1ce1bedffa54206bb2ffe44442d72d3.dyn.homecast.app, the easiest answer is almost certainly to act as your own CA for these certs, which is what Plex does for theirs.


#5

Yes … i google a bit to see my options … look sad for me.
I think i will never be allowed to be in public suffix list so other options is :slight_smile:

  • Become my own CA but the problem will be to install my root certificat in user webbrowser manually what will not be possible for Chromecast or Smart tv.
  • Be in business with a DDNS provider that is part of the public list to allow me to register my software clients by script and than register to Let Encript but i will loose the homecast.app
  • Be in business with Let’s encrypt … don’t now if it’s possible
  • Use DigiCert multi domain ssl with wildcart option … about 500$/year.

It’s really a shame that i need third part provider to achieve this, i spend so many nights on this projet …

I will aware you of how i handle this issue.


#6

An option you haven’t mentioned is seeking a rate limit exemption from LE. I’m not sure what that process looks like, though.


#7

Hi @John_at_ververt,

For more info about this process read this post (it includes the link to the form to apply for the exemption), read it carefully.

If your only purpose is to avoid LE rate limits, yes, you will never be included but you should consider the super cookies privacy problem that would be solved being included in that list, for more info https://publicsuffix.org/learn/

Just in case you didn’t know it, Top Level Domain app is preloaded in modern browsers to use HSTS (HTTP Strict Transport Security) so they will never try to connect to your site using http, they will use https always.

Good luck,
sahsanu


#8

yes i know that .app are https only and i only want to connect with https , if the user need to connect without it’s possible to use local ip to do this.

Https for my softwares are only need to use thrid part devices like chromecast or smarttv from within my app.


#9

@jsha, would you be willing to opine on this situation?