Development SSL / TLS with CommandBox

September 19, 2019
coldfusion

I've been working on my upcoming Fully Day ColdFusion Security Training Class at CFSummit. The training takes place on a VM which I have preloaded with everything the trainees will need. Because I'm a big fan of CommandBox I thought I would set it up fully using CommandBox instead of Apache and the CF installer.

In order to teach certain sections we need HTTPS support, so here's a quick rundown of how I set it up on Linux, but the same approach should work on a Mac.

Using mkcert to generate a CA cert

Normally I use openssl to generate a self-signed certificate authority (CA) cert, which I then import into Firefox as a Trusted Certificate. This time I decided to give another tool a whirl, it's called mkcert, once you have downloaded the binary you just run:

mkcert -install

The above will generate a cacert which we can then import into Firefox or other browsers.

Now your browser will trust any certificate that mkcert generates! Take a second and let the implications of that sink in, you need to be careful when using such a tool because with the private key to your CA SSL certificates can be generated that look valid in your browser for any domain! One solution to this risk is to generate wildcard certs and then delete the rootCA-key.pem to prevent accidental exposure.

Generate a TLS Certificate

While we are here, lets note that the appropriate term is a TLS certificate, but the term SSL will probably be used as a synonym for another 20 years.

If we want to generate a wildcard cert for *.dev.local you can run this:

mkcert "*.dev.local"

The output will be two pem files one is the certificate, and one is the private key.

You can also generate a cert with a bunch of domains, if you don't want to use a wildcard:

mkcert dev.example.com example.dev other-dev.local

Using the Self Signed TLS Certificates with CommandBox

Now for the fun part, we can tell CommandBox to use or new certificate and start a server with SSL (er... TLS) enabled. The easiest way to do this is with a server.json file:

{
    "web": {
        "host": "test.dev.local",
        "SSL": {
            "certFile": "/path/to/dev.local.pem",
            "enable":"true",
            "keyFile":"/path/to/dev.local.key.pem",
            "port":"8443"
        }
    }
}

In the above case we are running the HTTPS server on port 8443, you can switch it to 443 but unix operating systems only allow root to bind to port numbers less than 1024 for security reasons.

Another Option

Another option for local TLS development is to put another HTTP server in front of CommandBox that handles port 80 and port 443. The server can proxy the requests on to CommandBox's port. Servers like apache and nginx handle the root port issue by starting as root to bind the ports, but then they create child processes that run as a non root user.


Like this? Follow me ↯


You might also like:

This entry was:

Comments

I think you intended to link to https://mkcert.dev and not mkcert.org It looks like mkcert works with Windows too, but requires using Chocolatey.
Upon further review, it looks like pre-built binaries for makecert are available at https://github.com/FiloSottile/mkcert/releases
Yes, I did -- I have updated the link, thanks.
FYI: According to this post from 2016 https://news.ycombinator.com/item?id=12578908 RFC-6761 [1] reserves four TLDs: .example, .invalid, .localhost, and .test. (I'm using .test as my TLD.) .DEV is own by Google while .LOCAL & .APP are reserved. (RFC 6762 reserves .LOCAL for Multicast DNS on a local network.)
FYI: Chrome & Firefox reject second-level wildcard certificates https://stackoverflow.com/questions/54939770/wildcard-ssl-tls-certificate-for-second-level-domain-rejected-be-the-browsers so I'll be using "*.test.local" instead.
Sorry, I meant "*.local.test". (based on other info I provided earlier which hasn't been approved as a blog comment yet.)

Post a Comment




  






Foundeo Inc.