Using self signed certificates for discourse


(Punit kumar jain) #1

Hi,

Has anyone used self signed certificates for discourse. I have seen one post regarding self signed ssl for emails, but was wondering if someone has used self signed certificates for the whole app.

I know namecheap is giving cheap ssl certificate, but I am hosting discourse for our internal intranet. So if someone has tried self signed certs, please post your experience.

thanks,
Punit.


(omfg) #2

If you need SSL, use a proper cert.

Edit: To make myself clear: it’s an awful idea. You are deliberately conditioning your users to ignore good security practices (“When you see a warning about bad SSL cert, make sure you ignore it”) just to save $10/year. Then when VP Finance one day gets MITM-ed accessing here finance app, guess what she’ll do… Incredible.


(Gerhard Schlager) #3

Should work (as long as the browser trusts your self-signed certificate).
Give it a try and you’ll know for sure. It should take you only a few minutes.
Just follow the Howto and use your self signed certificate instead of buying a certificate.


(Stephen) #4

If it’s their own intranet and to be accessed from corporate machines it’s no different to using a public CA. Internally-signed certificates are ‘proper’ certificates within a managed environment.

Managed desktops can be configured to recognise additional root certificates with little effort, it’s commonplace on many networks and may already be the case in his environment. Both Windows and Mac OS Server contain all of the tools to deliver effective PKI.

For some unknown reason, you’re assuming that @punitkrjain won’t deploy a CA cert and that users would ever see the SSL warning and criticising him based upon that assumption. How is that helpful?

Of course the moment that a non-corp device signs on to that network it all falls over, but that’s no reason to badger or scaremonger that the org will fail, particularly when you’ve not bothered to ascertain the facts.


(Jeff Atwood) #5

Still, it is unlikely to work, without massive provisos, so it is fair to question the choice IMO.


(Kane York) #6

I wouldn’t call that a self-signed certificate though - that’s a certificate issued by a company-managed CA.


(omfg) #7

May or may not.
If they use self-signed certs I would say it is less than 50% likely that they manage their clients.

+1


(Stefano Costa) #8

Perhaps the need for self-signed certs will go away when Let’s Encrypt is generally available, in a short time: https://community.letsencrypt.org/


(Punit kumar jain) #9

And just to clarify I was intending to try out self signed certificate (not company manged CA). I agree with the points about security but I wanted to see how well app behaved with ssl enabled. So eventually I will buy a sign cert once deployed for general use.

Coming back to the topic, I tried it and it works seamlessly (apart from the expected browser warnings). One point is maybe Allowing SSL / HTTPS for your Discourse Docker setup should explicitly mention that certificates should be PEM encoded. It can be a bit confusing as crt file can be anything (PEM/DER).

PS: On second thought i should have realized they are PEM encoded as the howto uses ‘cat’ at some point. Dumb moment.

thanks,
Punit.