Welcome

Supporting SSL for development on pimentaCHAT

If you are working with mobile apps, it is required that your server supports SSL.

pimentaCHAT is a “middle-tier application server”, by itself it does not handle SSL. However, pimentaCHAT works well with several industrial grade, battle-tested, reverse proxy servers that you can configure to handle SSL.

You should find yourself in one of the two situations:

  • The pimentaCHAT server is publicly accessible on the internet.
  • The pimentaCHAT server is not accessible on the internet.

This doc has been broken down into two separate sections, walking you through either of the camps you might find yourself in.

The pimentaCHAT server is publicly accessible on the internet

If your server is publicly accessible, it is recommended that you use a service like Let’s Encrypt to obtain your SSL certificates. A detailed guide for configuring your choice of SSL Reverse proxy servers is provided here: Configuring SSL Reverse Proxy

If you are using Ubuntu, this can be configured automatically with the help of Snaps. A guide for which is provided here: Installing pimentaCHAT on Ubuntu with Snaps

The pimentaCHAT server is not accessible on the internet

If your server is not accessible on the internet, you will need to provide self signed certificates to configure SSL on the server.

In this doc, we will be creating a self signed root certificate and using it to generate our SSL certificates. The steps written below have been adapted from Self Signed Certificate with Custom Root CA

Step 1: Create Root CA

Create Root Key

Attention: This is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

openssl genrsa -des3 -out pimentaCHAT-root.key 4096

If you want a non password protected key just remove the -des3 option

Create and self sign the Root Certificate

openssl req -x509 -new -nodes -key pimentaCHAT-root.key -sha256 -days 1024 -out pimentaCHAT-root.crt

Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.

NOTE: It is not recommended that you distribute this root certificate in production. A breach of the above-generated key will open every device that trusts your root certificate to potential security threats.

Step 2: Create an SSL certificate

Create the certificate key

openssl genrsa -out mydomain.com.key 2048

Here, mydomain.com should be replaced with your IP address (Bonjour local domains work as well!)

Create the certificate signing request

Important: Please mind that while creating the certificate signing request is important to specify the Common Name providing the IP address or URL for the service, otherwise the certificate cannot be verified.

openssl req -new -key mydomain.com.key -out mydomain.com.csr

Generate the SSL certificate

Here, we are using the mydomain.com CSR along with the pimentaCHAT-root CA.

openssl x509 -req -in mydomain.com.csr -CA pimentaCHAT-root.crt -CAkey pimentaCHAT-root.key -CAcreateserial -out mydomain.com.crt -days 365 -sha256

Step 3: Configuring SSL for pimentaCHAT

The mydomain.com.crt and mydomain.com.key files generated above will be used as the certificate and the private key to configure SSL.

A detailed guide for configuring your choice of SSL Reverse proxy servers is provided here: Configuring SSL Reverse Proxy

Step 4: Trusting Certificate Authority

All the devices that need to communicate with the server during development, need to trust the root certificate we generated in Step 1 (pimentaCHAT-root.crt)

Installation instructions for other operating systems can be easily found online.

On successful installation of the root certificate, the device should be able to access pimentaCHAT over SSL.

Troubleshooting

If your device is not able to connect over SSL, please make sure that the URL has https:// explicitly typed out before it.