# Can't make an HTTPS connection locally



## MMacD (Jun 11, 2017)

I'm trying to set up my toy webserver (Apache24) to use only secure connects (all connects are local to the LAN -- it's a dev setup).  So far that's not working, and the only tools I can find for testing expect a real cert signed by a real CA, etc., which isn't helpful for development purposes.

Can anyone suggest connection-debugging tools that don't mind working with a locally-signed cert in a LAN environment?


----------



## obsigna (Jun 11, 2017)

Usually it shall be sufficient to inform the self signed CA to your browser which you want to use for testing. This might be quite easy (Safari on Mac) to semi-easy (Firefox), up to quite complicated (IE on Windows).

Also take care not to use too strict cipher suites on the server site. Not all browsers arrived already on the bloody edge level. The following has been proven to be a good compromise between security and compatibility:

```
...
SSLProtocol             All -SSLv2 -SSLv3
SSLCipherSuite          HIGH:!aNULL:!AES128:!SSLv2:!SSLv3
...
```
For connection debugging you can simply use openssl(1) s_client(1):
`openssl s_client -connect your.local.dom:443 -tls1_2 -cipher HIGH -CAfile /path_to_your/self_signed_CA.pem -crlf`


----------



## ShelLuser (Jun 11, 2017)

Actually, IE on Windows is also quite easy because all that does is use the system-wide certificate repository. certmgr.msc is your friend there.

For FreeBSD I'd look into /etc/ssl and /usr/local/etc/ssl respectfully. security/ca_root_nss could also be of some help here.


----------



## Jeckt (Jun 22, 2017)

When you say "locally signed" do you mean you have your own CA,or are certificates self signed?  There isn't anything like a "real CA", only certificate authorities distributed in globs that are considered "trusted". If you've made your own CA, you just need to add your CA cert to whatever clients/servers.


----------



## bennyjoseph710 (Jun 22, 2017)

It is actually good to select the appropriate CA for this. They can help out and there are ones like instantssl, letsencrypt and digicert for this


----------



## ShelLuser (Jun 22, 2017)

MMacD said:


> Can anyone suggest connection-debugging tools that don't mind working with a locally-signed cert in a LAN environment?


So I re-read the thread and well... the main problem is that "it doesn't work" isn't telling us much to go on, but I figure that we also didn't quite answer the actual question yet.. I got a bit confused about your question because I fail to see why a network diagnostic tool would ever bother itself with the certificates.  Meh, it's hot here and I'm not always as sharp as I usually am.

So I'd start with using sockstat(1) to verify that Apache is actually listening on port 443. After that you should be able to utilize tcpdump(1) to monitor the traffic which is (or isn't) in/out -going. Just focus on port or protocol and you should get a good overview.

But if the problems don't sit at the network level but application level then you really don't need any specific tools. Just raise Apache's logging verbosity and check the debug logs. Those should tell you exactly what's going on.


----------

