topic Re: Is SSL required for localhost development and testing? in Integration and Testing

Is SSL required for localhost development and testing?

dustin1 — Thu, 09 Feb 2017 18:13:39 GMT

I've found a few threads that skimmed this question, but no direct question and answer.

Is there a way to develop and test an Accept.js integration on my local machine with the sandbox without an SSL certificate?

Re: Is SSL required for localhost development and testing?

Lilith — Fri, 10 Feb 2017 15:45:58 GMT

@dustin1 You do not need a certificate for your domain, unless you're accepting inbound connections that need to be secure.

Using Accept.js, you'd be connecting outbound, to our servers, which have a full TLS 1.2 setup, and you don't need a domain certificate for that.

Make sure your platform adequately supports creating outbound TLS 1.2 connections, and you should be fine.

Re: Is SSL required for localhost development and testing?

dustin1 — Fri, 10 Feb 2017 18:42:29 GMT

Ah, sorry. I assumed everything was web based when I posted my comment.

What I'm asking is whether I can develop and test locally without enabling my apache web server to use ssl certificates, so I can test with a http://localhost/ domain.

It sounds like you are saying that is not possible, and I need to set up https:// on my local machine for testing Accept.js.

Thanks,

-Dustin

Re: Is SSL required for localhost development and testing?

dustin1 — Fri, 10 Feb 2017 18:43:17 GMT

Oops, I don't know if I need to include @Lilith to make sure you received my response. :)

Re: Is SSL required for localhost development and testing?

Lilith — Fri, 10 Feb 2017 18:50:34 GMT

@dustin1 Sorry if my response wasn't clear. Let me try rephrasing a bit.

You would only need HTTPS for securing inbound connections for your server.

Since you're making outbound connections to us via HTTPS, you don't need a domain certificate. Those outbound connections depend on our domain certificate, and doesn't depend on you having one.

Domain certificates are used so connections can validate who they're connecting to. They aren't used to confirm where the connection is coming from.

Does that help?

As for @ replies, it's not required, but it's helpful. :)

Re: Is SSL required for localhost development and testing?

dustin1 — Fri, 10 Feb 2017 18:58:42 GMT

@Lilith Thanks. Almost there!

You said, "Since you're making outbound connections to us via HTTPS, you don't need a domain certificate."

My question: How do I test and develop without HTTPS?

Thanks,

-Dustin

Re: Is SSL required for localhost development and testing?

Lilith — Fri, 10 Feb 2017 19:11:17 GMT

@dustin1 You have to use HTTPS to secure the connection. However, you don't need to set up a domain certificate.

Using HTTPS for an API call doesn't require your site to have a domain certificate, or a working "https://" URL. There is absolutely no requirement that you secure inbound connections to your site.

It does require your server to have CA certificates and the setup necessary to validate our domain certificate, as the outbound API connection needs to be secured.

If you're using a Windows-based server with .NET methods, you'd use SChannel, just like IE does, to make the connection. (Disclaimer, I'm not a .NET developer, but the methods to create HTTPS connections should be baked-in.)

If you're using *NIX, you would need to use a SSL/TLS library like OpenSSL, so your solution could connect to secure URLs.

Java has its own SSL/TLS methods baked into the JRE.

Re: Is SSL required for localhost development and testing?

dustin1 — Fri, 10 Feb 2017 19:19:41 GMT

Hi,

I don't think that is correct. Here's an example I'm using:

https://hastebin.com/rehusoluji.xml

When I press Pay.

I get this error in my console

AcceptCore.js:1 An HTTPs connection is required to secure delivery of payment information.
e @ AcceptCore.js:1
(index):33 ADN Error :: E_WC_02:A HTTPS connection is required.

Re: Is SSL required for localhost development and testing?

dustin1 — Fri, 10 Feb 2017 19:21:20 GMT

I'll note, when I use https://localhost/ it works and when I use http://localhost/ it fails.

Therefore, I don't think there's a way to test and develop locally without https.

Re: Is SSL required for localhost development and testing?

Lilith — Fri, 10 Feb 2017 19:27:40 GMT

Can you connect to any secure sites from your server?

Re: Is SSL required for localhost development and testing?

dustin1 — Fri, 10 Feb 2017 19:37:26 GMT

Hi,

You'll notice in the code sample I provided that the server is connecting to a secure site.

https://jstest.authorize.net/v1/Accept.js

It uses HTTPS to connect to authorize.net and pull the Accept.js javascript code. This is working, which indicates that my server can connect to HTTPS.

You'll then see the error message I provided was an authorize.net error message, which means the authorize.net javascript code that was pulled from a secure site, was functioning.

Then the error message says that https is required.

Therefore, I believe that in order to test and develop, that HTTPS is required for your local server.

That's the entire point of this thread. I was unable to verify this by looking through documentation, and looking through other forum posts. So I wanted to confirm that was the case.

I'm also hoping this will help others some day when they're curious about the same thing. This will provide a definitive answer. :) Any chance you could have a dev double-check and confirm this explicitly? Since there is an error message, I assume it's not a bug on authorize.net's side.

Thanks,

-Dustin

Re: Is SSL required for localhost development and testing?

Aaron — Fri, 10 Feb 2017 20:22:25 GMT

Hi @dustin1,

I can confirm that the page calling the Accept.js script does need to be served from a server supporting a secure connection. If you're testing locally, that means that the server you're running on your machine needs to support https, although you don't have to have a domain certificate to do that (as Lilith points out).

The Accept.js documentation does list the error message:

E_WC_02

A HTTPS connection is required.

The page on which you’re including Accept.js must be served over an HTTPS connection.

However, it's not explicit in the documentation that you'll get that error message anytime that page is served insecurely, so it's not clear to the reader if this error message is listed as just a possible thing you might see depending on situation.

I'm making a note to put an explicit mention of the requirement on this page to avoid future confusion. Hope that helps!

Re: Is SSL required for localhost development and testing?

dustin1 — Fri, 10 Feb 2017 20:29:48 GMT

Thank you for confirming this. Your response is the answer to the original post of this thread. Appreciate it.

As a web developer, I work on programming over a dozen different websites. All of my production websites have HTTPS with domain certificates.

Locally, however, I do all of my development on a non-https localhost site. I set up hosts like http://site1.dev and http://site2.dev and so on.

There are a number of third-party services which require HTTPS for production, but allow for HTTP during development.

I would just throw out my request that when using sandbox, that HTTPS would not be required, as it would make it easier.

As I mentioned in my last post. I did end up configuring https on my local machine for the dev site while I build in an authorize.net implementation. It's just unfortunate because if I have to dev for authorize.net for more than one site, apache won't let me use https for more than one domain at a time so I'll have to restart my localhost server each time I switch projects.

Not a show stopper, but definitely something I'd appreciate you considering.

If you'd like, it might even be a sandbox option that defaults to require https on the web server, that can be turned off. So that most cases it'll be like it currently is, but for advanced users, such as in my case, I could turn it off. Since I've got it set up on all my production servers, and I know what I'm doing.

Thanks for your help. Case closed.

Re: Is SSL required for localhost development and testing?

Lilith — Fri, 10 Feb 2017 21:39:15 GMT

@dustin1 Sorry if I engendered any confusion in this discussion. I did get a bit more detail, however.

The Javascript we provide includes the window.location.protocol property, which tells us if the page evoking the script is using HTTP or HTTPS. And we do require HTTPS for that property.

I also confirmed that we have a feature request to allow HTTP for window.location.protocol, if window.location.hostname equals "localhost". So hopefully this option will be available in the near future.

Since you do (after all) need HTTPS on your test server, is https://letsencrypt.org/ a possible option for you, so you don't have to spend extra money on a certificate for that server?

Re: Is SSL required for localhost development and testing?

dustin1 — Fri, 10 Feb 2017 21:42:29 GMT

Thanks for the extra info.

LetsEncrypt does work for testing locally for SSL, but you can also create a self-signed cert for localhost testing.

I'd recommend LetsEncrypt more so for production servers since those are actual valid domain certificates.

Re: Is SSL required for localhost development and testing?

andynu — Mon, 20 Mar 2017 18:02:13 GMT

Hi @Lilith, Any progress on enabling http localhost development?

It for python (flask, web2py), and ruby (rails, sinatra) development setting up local https is an unusual requirement. For production of course it makes perfect sense.

Thanks,

Andy

Re: Is SSL required for localhost development and testing?

Aaron — Mon, 20 Mar 2017 18:06:33 GMT

Hi @andynu,

That feature is oft-requested, but unfortunately, we can't commit to a timeframe right now.

Re: Is SSL required for localhost development and testing?

gregblass — Tue, 28 Nov 2017 00:26:17 GMT

Asking developers to enable HTTPS on their development server / local machine is NOT normal (at least in the Ruby world) - and definitely too much to ask.

Whoever is prioritizing that as 'Oft-requested' but not important enough to prioritize, in my opinion, is completely wrong.

I was trying to keep my client on their existing authorize.net account, but this is definitely the final straw pushing me into moving them completely off of authorize.net for their whole system and over to braintree/stripe.

Re: Is SSL required for localhost development and testing?

gregblass — Tue, 28 Nov 2017 11:57:23 GMT

Seriously though, I'm at least two hours into this now on a fixed budget project. Really appreciate your all's decision to not prioritize this.

Look at how fun this process has become!

https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/43666288#43666288

Re: Is SSL required for localhost development and testing?

gregblass — Tue, 28 Nov 2017 12:57:25 GMT

3 hours of wasted and frustrating time later, this script finally worked for me to generate a self signed certificate for localhost with a proper subjectAltName. On Mac OS, you also have to add the key to your keychain and mark it as trusted as these comments describe.

https://github.com/loganstellway/self-signed-ssl