Question

I only found how to start puma using SSL:

$ puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert'

However, there is no description about how to include an intermediate CA cert in the documentation. Could someone point me in the right direction? I am using Puma 1.6.3

Thanks!

Was it helpful?

Solution

Combining certificate and bundle will work only if you use nginx.

Without nginx, you can use ca and verify_mode options:

rails s puma -b 'ssl://0.0.0.0:9292?key=path_to_key.key&cert=path_to_cert.crt&verify_mode=none&ca=path_to_root_bundle.crt'

Source: https://github.com/puma/puma/blob/master/lib/puma/binder.rb

OTHER TIPS

Kinda late to the party but, I have another solution, you can see my post for more details.

First create the certificate for your localhost using mkcert

mkcert localhost

If you want to have another domain to work on HTTPS, just replace localhost to the one you want, like mkcert mylocalhost-with-a-cool-domain.com

After this, I created a local-certs folder under the config folder and pasted the cert and key there.

Now you should mark these cert as trusted, I’m working on a Mac computer, so not sure how to handle this particular part on Windows or on a Linux distro. Check out the post, it has screenshoots. In resume, you will need to drag the certificate created with mkcert to the Keychain Access.

Then in your puma config file, create one if you don't have it and name it puma.rb, you should have something like

workers Integer(ENV['WEB_CONCURRENCY'] || 2)
threads_count = Integer(ENV['THREAD_COUNT'] || 5)
threads threads_count, threads_count

rackup      DefaultRackup
port        3001
environment ENV['RACK_ENV'] || 'production'

if ENV['RACK_ENV'] == 'development'

  # If you didn't place the cert and key under `local-certs` you should change this
  localhost_key = "#{File.join('config', 'local-certs', 'localhost-key.pem')}" 
  localhost_crt = "#{File.join('config', 'local-certs', 'localhost.pem')}"

  ssl_bind '0.0.0.0', 3000, {
    key: localhost_key,
    cert: localhost_crt,
    verify_mode: 'none'
  }
end

Then running bundle exec puma -C puma.rb or bundle exec rails s should do it :D

If anyone has a question, pls let me know. Hope it helps future readers!

while we are using combo Nginx+PhusionPassenger as well. You cant specify Chain cert file in nginx either. The trick is to bundle all certs within one certificate and then set the new certificate file as a certificate in your server configuration. You will find more information in nginx documentation. Check SLL Certificate Chains section.

cat www.example.com.crt bundle.crt > www.example.com.chained.crt

Hope it helped.

rails s puma -b 'ssl://0.0.0.0:9292?key=certkey.key&cert=cert.crt&verify_mode=peer&ca=root_bundle.crt

Just make sure you set the verify_mode=peer.

It may be a better idea to use Phusion Passenger + Nginx for SSL support. This combo has widely available documentation and is very easy to setup because it's currently the most popular app server choice, and used by the likes of New York Times, Symantec, AirBnB, etc. Here's how you do it if you have Nginx with Phusion Passenger installed:

server {
    listen 443;
    server_name yourapp.local;
    ssl on;
    ssl_certificate ...;
    ssl_key ...;
    root /path-to-your-app/public;
    passenger_enabled on;
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top