#Self-signed cert for https with mist

Hi! I was trying to create a self-signed ssl certificate for mist, so that I could serve my website over https in development. (The reason for this is that I want to test it on other devices on the network, and the website requires geolocation, which requires https.)

I googled around and tried several different methods of creating a certificate file and key file (the keychain access app on macos, and openssl with varying options), but every time I would get an error from erlang saying no_certs. The mist docs don't say what format the cert and key files should be in for mist.with_tls(), and I tried reading the erlang docs for ssl:listen/2 but couldn't figure it out.

I don't know very much about certificates, especially when it comes to creating them or the file formats. How can I create cert/key files that mist will accept to start the server using https?

Maybe open an issue with Mist for adding of that info? Could be good for it to have an example too

I remember being confused by TLS in Mist a bit too

aha I googled some more and somehow this time around it worked! https://serverfault.com/a/224127

i'll still open an issue with mist, but putting this here in case it helps someone else

i was able to get a hint after seeing the tls example in the glisten readme

I think the Erlang ssl application cannot use a directly self-signed cert. Instead you have to create a self-signed CA and issue the server certificate using this. (If this is not what you have done). You can check out some script here .

hmm i don't think i had to do that

it seemed to work fine (for my purposes, ie local development) when i did openssl genrsa 2048 > server.key followed by openssl req -new -x509 -nodes -sha256 -key server.key -out server.crt

also, i opened an issue: https://github.com/rawhat/mist/issues/84

in case anyone needs more info or examples, this is what I do:

https://codeberg.org/CubeOfShame/valltory/src/branch/main/mise.toml#L20 to generate the certs, and then built mist like this:
https://codeberg.org/CubeOfShame/valltory/src/branch/main/src/valltory.gleam#L60

Ok, you are right I think, it maybe that you need a CA signed cert when using Erlang ssl as client. (Which mugis doing)

It is a good habit to use a CA most times anyway 🙂 .

I use https://github.com/suyashkumar/ssl-proxy in front of my app, so browser uses https, but the gleam app doesn't need to know

out of curiosity, what makes it better to do that?

that would be a strange restriction for erlang to add and not something i've seen before

for local dev it doesn't really matter much, i tend to use https://github.com/FiloSottile/mkcert if i need to do local certificate stuff

Seems the restriction is for ssl clients and when using verify peer. But honestly I haven't digested the complete discussion .
See also.
The reason for having one self-signed test CA, at least for me, is that it simplifies testing since I can sign all servers with the same CA and install the same CA cert on clients. But I guess it depends ...

having that restriction as a client connecting to a server makes a more sense, openssl has similar error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT