Self Signed TLS Certs

Every once in a while in a web developers life the need arises to generate a some magic files to put in a local webserver so that Chrome stops complaining that your local traffic is not encrypted.

Because you know it is incredibly important to encrypt local traffic because the Russians are listening.

You've done this exactly fourteen times before, so you vaguely remember you have to enter some commands that have 50 weird parameters each.

Tldr

ssh key-gen

wait, no that's not it

ssh-genkey?

nope

pgp --gen-key?

colder..

The real tldr:

    openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt

WTF Google

Google SSL complaint screen

Chrome no longer lets you click "yea I know what I'm doing…" because because the world has become so used to nags that users will impulsively click through anything.

You can get around this screen by clicking anywhere in the window, they keying thisisunsafe

Okay now what to I do with these files

If you're reading this page, you're probably just me trying to remember some config, so you know that the configurations below are not really "production ready" things and need to be further configured. You're just trying to setup the bare minimum local environment, and you really don't care that the Russians are using your local traffic to trick people into voting for Donald Trump.

However in the off chance you're not me doing a self cross reference, you should heed Google's shitty advice and know that what you're about to do probably isn't safe. thisisunsafe

NGINX

# /etc/nginx/sites-available/default

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    ssl_certificate /path/to/domain.crt;
    ssl_certificate_key /path/to/domain.key;

    root /var/www/html;

    index index.html;

    server_name _;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }
}

Python Server

import http.server
import ssl

# Webserver config
server_address = ('', 4443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)

# Tls config
httpd.socket = ssl.wrap_socket(httpd.socket,
                               server_side=True,
                               certfile=".ssh/domain.crt",
                               keyfile=".ssh/domain.key",
                               ssl_version=ssl.PROTOCOL_TLS)


# Start server
print("Server running on https://localhost:4443")
httpd.serve_forever()