Ubuntu development configuration with SSL, Puma, and Rails

Question

Goal: get ssl working in development mode (ssl works fine in production on heroku)

My setup: Ubuntu 16.04 Rails 5.0.1 Puma 3.6.2

config/environments/development.rb

config.force_ssl = true

I tried following along with this puma ssl how-to: https://gist.github.com/tadast/9932075 (I am not sure what github procol is regarding pasting above link content here vs referencing it)

if I then use the command line method to run puma

puma -b 'ssl://127.0.0.1:3000?key=/home/sean/.ssh/server.key&cert=/home/sean/.ssh/server.crt'

I am getting Chrome's 'Not Secure' error when trying to access via the browser after attempting to add certificate to ubuntu.

sudo cp server.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Updating certificates in /etc/ssl/certs... 
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Should I see 1 added here? I also tried copying server.crt to /etc/ssl/certs

If I proceed past chrome block I get console error:

SSL error, peer: 127.0.0.1, peer cert: , #<Puma::MiniSSL::SSLError: OpenSSL error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request - 336027804>

Instead of using puma on command line I tried adding to config/initializers/puma.rb

bind 'ssl://127.0.0.1:3000?key=/home/sean/.ssh/server.key&cert=/home/sean/.ssh/server.crt'

and starting: rails s

I do not get any page load but console shows:

HTTP parse error, malformed request (): # 2017-01-23 10:04:43 -0500: ENV: {"rack.version"=>[1, 3], "rack.errors"=>#>, "rack.multithread"=>true, "rack.multiprocess"=>false, "rack.run_once"=>false, "SCRIPT_NAME"=>"", "QUERY_STRING"=>"", "SERVER_PROTOCOL"=>"HTTP/1.1", "SERVER_SOFTWARE"=>"puma 3.6.2 Sleepy Sunday Serenity", "GATEWAY_INTERFACE"=>"CGI/1.2"}

I also tried downgrading puma to 3.5.2

Where am I going wrong?

no I am not using vagrant – Sean Kelley Jan 26 '17 at 23:13 — Sean Kelley, Jan 26 '17 at 23:13

score 1 · Answer 1 · edited May 23 '17 at 12:33

I solved this problem by enabling mod_ssl in Apache server, and adding some configuration for Apache to listen on 443 port. You can use Nginx too in the front of Puma to communicate with sockets. There is also way to solve this problem by installing Puma-dev, which automatically makes the apps available via SSL. I will describe the way I did it, it may help you/someone:

I made self-signed certificate first, and after that new virtual host for my project, for example: site1.local. Then I enabled mod_ssl and default-ssl.conf. I added in my virtualhost port 443 and forward secrecy something like:

<VirtualHost *:443>
    ServerName site1.local
    SSLEngine on
    SSLCertificateFile "/home/user/.ssh/server.crt"
    SSLCertificateKeyFile "/home/user/.ssh/server.key"
    DocumentRoot /var/www/site1.local/public

    SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
    SSLHonorCipherOrder On
    SSLCipherSuite EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3DES:!CAMELLIA:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
</VirtualHost>

When I restarted Apache server, I was still getting google chrome's unsafe website warning. I needed to add manually Root certificate in chrome: chrome://settings/certificates, then menu tab Authorities and import button. I checked all 3 checkboxes before importing server.crt file. Once I finished with importing , I restarted google chrome and I got green https lock in chrome's search bar.

Some refs:

https://leehblue.com/add-self-signed-ssl-google-chrome-ubuntu-16-04/

Getting Chrome to accept self-signed localhost certificate

https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04

https://www.digitalocean.com/community/tutorials/how-to-deploy-a-rails-app-with-puma-and-nginx-on-ubuntu-14-04

I hope it helps