Self-hosted control rooms have invalid SSL certificates, which causes api calls from the extension to fail

[BLoe]

I don't know if I have all the information here, but from what I've learned so far, we have basically two options if we want to test the extension with self hosted CRs:

• The admin console/back end has a hack where it doesn't validate SSL certs for AA api calls, we could implement a similar hack in the extension
• We could set up certs for our self hosted CR domains (and document this process and possibly automate it?)
• We could just not use self hosted CRs and depend on setting up cloud CRs for testing -- I believe this would add a dependency on Shane to set them up for us

[twschiller]

Capturing discussion from Slack here:

The current approach is to download the certificate and trust it in the operating system. Our public docs are here: https://docs.pixiebrix.com/how-to/troubleshooting/troubleshooting-network-errors#the-browser-blocked-the-request-because-the-https-certificate-on-the-server-is-invalid-untrusted

we could implement a similar hack in the extension

To my knowledge that's not possible. You'd have to find a Chrome setting to not verify the SSL certificate for API calls. E.g., in Postman, there's a Postman setting to not verify the SSL certificate

[twschiller]

@grahamlangford this should likely be @BLoe and @johnnymetz pairing to ensure our dev/test environment is working again and steps to use it are documented

[twschiller]

For reference, other people calling out that service worker can't make API calls to server with invalid certificate: w3c/webextensions#72 (comment)

[johnnymetz]

Notes

Full URL: https://pixiebrix-controlroom-dev-4.eastus.cloudapp.azure.com
FQDN: pixiebrix-controlroom-dev-4.eastus.cloudapp.azure.com

Folder structure

pki folder:

• private:
  • cert.key
  • cr.ks
• trust:
  • store.ks
• cert.pem

Commands I Tried

Note: I installed openssl with chocolately

[DIDN'T WORK: https://stackoverflow.com/a/41531915/6611672]

# Example
openssl pkcs12 -inkey rootCA.key -in rootCA.pem -export -out rootCA.pfx
# Actual
openssl pkcs12 -inkey private/cert.key -in cert.pem -export -out cert.pfx

[DIDN'T WORK: https://learn.microsoft.com/en-us/azure/application-gateway/self-signed-certificates]

openssl ecparam -out contoso.key -name prime256v1 -genkey
openssl req -new -sha256 -key contoso.key -out contoso.csr
openssl x509 -req -sha256 -days 365 -in contoso.csr -signkey contoso.key -out contoso.crt

openssl ecparam -out fabrikam.key -name prime256v1 -genkey
openssl req -new -sha256 -key fabrikam.key -out fabrikam.csr

openssl x509 -req -in fabrikam.csr -CA  contoso.crt -CAkey contoso.key -CAcreateserial -out fabrikam.crt -days 365 -sha256
openssl x509 -in fabrikam.crt -text -noout

---

Resources:

• https://learn.microsoft.com/en-us/azure/application-gateway/self-signed-certificates
• https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate
• https://learn.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-secure-web-server
• https://stackoverflow.com/questions/2355568/create-a-openssl-certificate-on-windows
• https://stackoverflow.com/questions/6307886/how-to-create-pfx-file-from-certificate-and-private-key
• https://www.youtube.com/watch?v=LSP4wZfi-i8

[johnnymetz]

Directions for setting up a Control Room certificate: https://www.notion.so/pixiebrix/Create-and-Trust-a-Control-Room-Certificate-5a0873f8edc84ae7947ebe88346b5319

[BLoe]

@johnnymetz I think the last thing to close out this ticket should probably just be adding that guide to our user-facing docs somewhere, and we're good to go

[johnnymetz]

User-facing docs added: https://docs.pixiebrix.com/how-to/troubleshooting/troubleshooting-network-errors#the-browser-blocked-the-request-because-the-https-certificate-on-the-server-is-invalid-untrusted