cancel
Showing results for 
Search instead for 
Did you mean: 

Is SSL required for localhost development and testing?

I've found a few threads that skimmed this question, but no direct question and answer.

 

Is there a way to develop and test an Accept.js integration on my local machine with the sandbox without an SSL certificate?

dustin1
Contributor
35 REPLIES 35

Hi,

 

You'll notice in the code sample I provided that the server is connecting to a secure site.

 

https://jstest.authorize.net/v1/Accept.js

 

It uses HTTPS to connect to authorize.net and pull the Accept.js javascript code. This is working, which indicates that my server can connect to HTTPS.

 

You'll then see the error message I provided was an authorize.net error message, which means the authorize.net javascript code that was pulled from a secure site, was functioning.

 

Then the error message says that https is required.

 

Therefore, I believe that in order to test and develop, that HTTPS is required for your local server.

 

That's the entire point of this thread. I was unable to verify this by looking through documentation, and looking through other forum posts. So I wanted to confirm that was the case.

 

I'm also hoping this will help others some day when they're curious about the same thing. This will provide a definitive answer. :) Any chance you could have a dev double-check and confirm this explicitly? Since there is an error message, I assume it's not a bug on authorize.net's side.

 

Thanks,

-Dustin

Hi @dustin1,

 

I can confirm that the page calling the Accept.js script does need to be served from a server supporting a secure connection. If you're testing locally, that means that the server you're running on your machine needs to support https, although you don't have to have a domain certificate to do that (as Lilith points out).

 

The Accept.js documentation does list the error message: 

E_WC_02A HTTPS connection is required.The page on which you’re including Accept.js must be served over an HTTPS connection.

 

However, it's not explicit in the documentation that you'll get that error message anytime that page is served insecurely, so it's not clear to the reader if this error message is listed as just a possible thing you might see depending on situation.

 

I'm making a note to put an explicit mention of the requirement on this page to avoid future confusion. Hope that helps!

Thank you for confirming this. Your response is the answer to the original post of this thread. Appreciate it.

 

As a web developer, I work on programming over a dozen different websites. All of my production websites have HTTPS with domain certificates.

 

Locally, however, I do all of my development on a non-https localhost site. I set up hosts like http://site1.dev and http://site2.dev and so on.

 

There are a number of third-party services which require HTTPS for production, but allow for HTTP during development.

 

I would just throw out my request that when using sandbox, that HTTPS would not be required, as it would make it easier.

 

As I mentioned in my last post. I did end up configuring https on my local machine for the dev site while I build in an authorize.net implementation. It's just unfortunate because if I have to dev for authorize.net for more than one site, apache won't let me use https for more than one domain at a time so I'll have to restart my localhost server each time I switch projects.

 

Not a show stopper, but definitely something I'd appreciate you considering.

 

If you'd like, it might even be a sandbox option that defaults to require https on the web server, that can be turned off. So that most cases it'll be like it currently is, but for advanced users, such as in my case, I could turn it off. Since I've got it set up on all my production servers, and I know what I'm doing.

 

Thanks for your help. Case closed.

@dustin1 Sorry if I engendered any confusion in this discussion. I did get a bit more detail, however.

The Javascript we provide includes the window.location.protocol property, which tells us if the page evoking the script is using HTTP or HTTPS. And we do require HTTPS for that property.

I also confirmed that we have a feature request to allow HTTP for window.location.protocol, if window.location.hostname equals "localhost". So hopefully this option will be available in the near future.

Since you do (after all) need HTTPS on your test server, is https://letsencrypt.org/ a possible option for you, so you don't have to spend extra money on a certificate for that server?

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

Thanks for the extra info.

 

LetsEncrypt does work for testing locally for SSL, but you can also create a self-signed cert for localhost testing.

 

I'd recommend LetsEncrypt more so for production servers since those are actual valid domain certificates.

 Hi @Lilith, Any progress on enabling http localhost development?

 

It for python (flask, web2py), and ruby (rails, sinatra) development setting up local https is an unusual requirement. For production of course it makes perfect sense.

 

Thanks,

Andy

Hi @andynu,

 

That feature is oft-requested, but unfortunately, we can't commit to a timeframe right now.

Asking developers to enable HTTPS on their development server / local machine is NOT normal (at least in the Ruby world) - and definitely too much to ask.

 

Whoever is prioritizing that as 'Oft-requested' but not important enough to prioritize, in my opinion, is completely wrong.

 

I was trying to keep my client on their existing authorize.net account, but this is definitely the final straw pushing me into moving them completely off of authorize.net for their whole system and over to braintree/stripe.

Seriously though, I'm at least two hours into this now on a fixed budget project. Really appreciate your all's decision to not prioritize this.

 

Look at how fun this process has become!

 

https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certifica...

3 hours of wasted and frustrating time later, this script finally worked for me to generate a self signed certificate for localhost with a proper subjectAltName. On Mac OS, you also have to add the key to your keychain and mark it as trusted as these comments describe.

 

https://github.com/loganstellway/self-signed-ssl