Self Signed Certificate for Webapps on public server?

I have a Webservice running on a Ubuntu 18.04 Webserver and it is reachable on the standard port.

I have followed the steps here (http://documentation.xojo.com/topics/web/ssl_for_web_apps.html#Set_up_the_SSL_Certificate) in order to create and install a self signed certificate.

I have defined an SSL port for the app in the Shared Build settings and I also tried to start the app with parameters, like this:

./myapp --secureport=9081 --maxsecuresockets=400

The myapp.crt file is copied next to the executable and then I have restarted the WebApp. And again it starts and is reachable on the non-secure port.

I can run netstat -an | grep tcp and it shows the app is listening in the standard port, but not on the SSL port.

Is it possible, that we cannot use self-signed certificates? What else could make this fail?

Opened port on the firewall?

1 Like

Is this a Web 1.0 or Web 2.0 app?

When you launch the app, if it’s web 2.0, do you get the expected “Application is ready” message? Do you get any other messages out of the command line when you try to run?

I haven’t ever had a problem with SSL, but I’ve always used Let’s Encrypt and not self signed certificates. Have you heard about my tool called Lifeboat that simplifies deploying web apps and setting up SSL?

1 Like

Thanks Tim, I create that new web service app with Xojo 2021 r2, so I guess it is automatically Web 2.0 (?).

I downloaded and installed your Lifboat app now and connected to it to the Ubuntu 18.04 server. When lifeboat wants to install something, I stopped.

My server has Plesk Obsidian version 18 on it and some Wordpress sites running. Can I install lifeboat without danger for my running configuration?

Yep, 2021r2 builds Web 2.0

This would actually depend on whether or not your installation uses Apache or nginx to achieve this. I always recommend installing into an empty/new VPS, so I would recommend creating a test instance first to see if Lifeboat is compatible.

To debug what you’ve got so far though, do you get any messages from the web app when you launched it? Does it fully launch and continue running, or does it quit? Have you tried providing the --Certificate= path to see if that helps?

I’m setting up a new VPS with a new domain name. Currently I just did install webmin on it. Once the DNS is distributed, I will try lifeboat to get certificates and web services up and running. I guess this will be somewhen tomorrow. Now it is 7:30 pm overhere in Switzerland and I leave my workplace now, to watch some Olympics on TV - Thanks for the help! Very much appreciated!

1 Like

Don’t use self-signed certificates on a public server. They are vulnerable to man-in-the-middle attacks.

It would be better to use LetsEncrypt if you need something free

2 Likes

Yes, and as I am now going to use a separate VPS with Lifeboat, I expect it to be quite easy to make use of Letsencrypt with auto renewal. We’ll see tomorrow.

1 Like

Oups - lifeboat locked me out from Webmin, on my new VPS. Does lifeboat manage the linux firewall and close any ports, not used by itself? I uploaded a webapp, but it does not start and it looks like ports and storing location are not transparent either?

Alright then, maybe I will find more detailed information in the documentation?

I’m currently reinstalling the VPS and give it one more try. Otherwise I’ll install everything by myself, as I used to do until now.

Be careful with Webmin. It’s a great tool but it really wants to do its own thing. I was using it with Apache and Lets Encrypt. Both Webmin and Lets Encrypt update the Apache config files. This caused some websites not to work, others were crossed (request for site a opened site b.)

If you’re not good with Linux or don’t want to learn it, stick with Tim’s recommendations and his Lifeboat. Based on my experince with Webmin I’d be nervous mixing any tools that manage the same utilities. Lifeboat has been tested with Lets Encrypt so that’s a known good combination.

1 Like

I’m managing Ubuntu Servers with Webmin for about 14 years now and I hope I can continue to use it - together with Lifeboat. I would hate to be restricted to the command line.

What I hope for, is lifeboat to handle nginx, certbot and the Xojo Webapps and beside of this I intend to install cubesqlserver, but no LAMP stack.

I had to open the port for Webmin (sudo ufw allow 10000) and I still have some issues with installing lifeboat. Maybe Tim will be able to comment on this later today?

So basically lifeboat takes away the hassle of configuring nginx and also certbot and it makes uploading and replacing a running Xojo web app a piece of cake. If I get this up and running I will definitely become a big lifeboat fan.

Webmin does not “do it’s own thing”
I have used Webmin for years on production servers and removed it and everything is still standard and ready to rock and roll.

Maybe you customized certain aspects of your installation?

Yes. Lifeboat closes everything and leaves only SSH, HTTP, and HTTPS ports open. If you install PostgreSQL and enable external access, Lifeboat will open the selected PostgreSQL port. This is set inside the instance, some providers offer external Firewalls as well!

I consider it being managed for you as this isn’t information you need to use Lifeboat. Because of the stop ‘n’ swop procedure, you need to design your file access as if you were building a Mac app. Items next to the web app will be lost when performing an update.

There are a couple of different things that can go wrong for an app not to start. One to check is that it is not crashing during the launch procedure. The second most common is the code App.Daemonize prevents systemd from returning a service status of “active”. This is fixed by removing App.Daemonize.

Right click your Web App in Lifeboat, and select “View Logs…” If the log file does not exist, the app has not successfully completely launched. You can write to this log in Xojo code with the global Print function to help debug crashes during startup.

For clarity, Lifeboat managed applications are stored in Lifeboat’s ApplicationData folder on the remote server. This resolves to the home folder, and as is common on Linux, the data folder is an invisible dot-folder.

This path should work on all Linux flavors: ~/.com.strawberrysw.Lifeboat/
Inside there you will find your applications and additional support files. It is recommended that you don’t try to manage things here yourself, this is Lifeboat’s workspace.

There is a lot of information in the user guide! If it leaves you with any questions I’m always happy to answer them here in the forum or by email. I can sometimes provide hands on support by email.

For those still with us,
Oliver has kindly reached out by email and digging into this case it seems libsoup was not installing for some reason. I haven’t yet determined if this is because of Webmin, but I have made changes to the install process in Lifeboat to try to correct for this.

In addition to this, I am working on the issues with ValentinaDB. Look out for the next Lifeboat update :slight_smile:

Have a great weekend, everyone!

4 Likes

Wow - we have a working Lifeboat VPS and distribution of Xojo Webapps is done in a jiffy!

KISS: keep it simple and serviceable - this is software at its best! Great job!

If you would like to run your own virtual private linux server and deploy Webapps in a minute, then follow the deployment walkthrough video here:
https://strawberrysw.com/lifeboat/

In the past 14 years I have spent so many days and weeks (or more) to learn about installing and configuring Ubuntu virtual private servers and this here, lifeboat, brings it down to a job of some minutes. This is great, because the prices for powerful VPS also came way down since 14 years ago.

6 Likes

And even beyond being vulnerable to MITM attacks, nobody will be able to visit your website without seeing all those warnings. Literally nobody is going to click through all the warnings of death, dismemberment and general malaise that a modern browser will put you through to visit a site with a self signed certificate :wink: Fine for testing and actually fine in other circumstances for personal use but not for a public site.

The only place it’s OK to use one personally is if you will only ever connect to the server with a machine that you have already connected to it with. Once I have passed through all those warnings and allowed the certificate when I know there is no man in the middle, then if I connect from somewhere and the MITM tries to hijack that I will get an error message saying that the certificate has changed and that I need to re-approve it. If you are connecting to the server for the first time and are the victim of the attack there is no way to tell that the machine you’re connecting to is not the attacker. I hope that makes some sense though I know it’s kind of not very parallel to the original question :wink:

1 Like

Right, nobody answered the original question.

In my specific case this goes all right, because Lifeboat is now working just great for me.

But not answering to the original question and starting general teachings with many assumptions about the situation of the OP, this seems to become increasingly popular ….

2 Likes

A thank you to Greg and Tim would probably be in order, would it not ?

1 Like

In fact I already expressed my thanks to Tim - we had a PM exchange.

My original question however is not answered: “Is it possible, that we cannot use self-signed certificates? What else could make this fail?”

Well it could fail if the port is already in use by another app.