Confirguring Rocket 0.5 TLS with NO-IP trrustcor certification

Question

I've been using Rust-lang Rocket v0.5-rc for the past couple of weeks in order to create my web application. In order to get my SSL certificate and a domain name, I've been using NO-IP free services.

I generated a 2048 bit RSA key with OpenSSL, converted it to PKCS-8, created a CSR (using the pre-made key) and uploaded it to NO-IP. After a while, I downloaded the cert chain and configured Rocket.toml as described:

[global]
port = 443
address = "0.0.0.0"

[default.tls]
certs = "certs.pem"
key = "key.key"

However, when I try to connect via firefox to the website I get either a "Connection Lost" or a "SSL Malformed" warning.

Server output:

    Finished dev [unoptimized + debuginfo] target(s) in 0.13s
     Running `target\debug\rocket_project.exe`
Configured for debug.
   >> address: 0.0.0.0
   >> port: 443
   >> workers: 8
   >> ident: Rocket
   >> keep-alive: 5s
   >> limits: bytes = 8KiB, data-form = 2MiB, file = 1MiB, form = 32KiB, json = 1MiB, msgpack = 1MiB, string = 8KiB
   >> tls: enabled
   >> temp dir: C:\Users\talhk\AppData\Local\Temp\
   >> log level: normal
   >> cli colors: true
   >> shutdown: ctrlc = true, force = true, grace = 2s, mercy = 3s
Warning: found set deprecated profile `development`
   >> profile was replaced by `debug`
Warning: found set deprecated profile `production`
   >> profile was replaced by `release`
Routes:
   >> (index) GET /
   >> (get_file_external) GET /<file..>
Fairings:
   >> Shield (liftoff, response, singleton)
Shield:
   >> Permissions-Policy: interest-cohort=()
   >> X-Content-Type-Options: nosniff
   >> X-Frame-Options: SAMEORIGIN
Rocket has launched from https://0.0.0.0:443
Error: connection accept error: received corrupt message
Error: optimistically retrying now
Warning: Received SIGINT. Requesting shutdown.
Received shutdown request. Waiting for pending I/O...

Additional Info: When I used Wireshark to find out what's happening it described it as TCP (not TLS) communication.

Any ideas?

Answer 1

The problem could be that you are not actually connecting to your Rocket webserver. The hostname you are using most likely resolves to a public IP address where something else might be listening. Try testing using localhost first with https://localhost and accept the invalid certificate (or skip to the end of this message for how to change your hosts file). If that turns out to be the case you will need to set up port forwarding in your router for port 443.

But that is just a guess. I'm not sure why you got that specific error, but I was able to set up Rocket with a TrustCor cert for a free hostname from https://www.noip.com. Here are the steps I took:

I got rocket working using the Getting Started page. My main.rs looks just like theirs and I'm using version 0.5.0-rc.1. I get "Hello World!" with curl on http://127.0.0.1:8000. So I know everything is working without TLS.

Next, I generated a key and csr with openssl,

openssl req -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.csr

The important line is the "Common Name" which I set to rocket-test.zapto.org. I did not set a password for the key. There is no need to change the key or csr format. openssl by default generates them in the correct format for Rocket / rustls and No-IP.

I created the hostname and then I followed the No-IP guide to upload the CSR, https://www.noip.com/support/knowledgebase/configure-trustcor-standard-dv-ssl/

I waited for the cert to be issued and then I downloaded it from the "PEM Chain (Recommended)" link.

I moved the file to my cargo project directory along with my key. I also changed the port Rocket is listening on to 443 as your have it. Here is what my files look like:

$ grep ^rocket Cargo.toml
rocket = { version = "0.5.0-rc.1", features = ["tls"] }

$ cat Rocket.toml
[global]
port = 443

[default.tls]
certs = "rocket-test_zapto_org.pem-chain"
key = "key.pem"

$ ls -1 *pem*
key.pem
rocket-test_zapto_org.pem-chain

$ head -n 2 key.pem 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4gZZbg2iWPlyi

$ head -n 2 rocket-test_zapto_org.pem-chain
-----BEGIN CERTIFICATE-----
MIIGpzCCBY+gAwIBAgIMV2rPeuY8+0gQuie4MA0GCSqGSIb3DQEBCwUAMFsxCzAJ

cargo run shows it listening on https://127.0.0.1:443, no longer http://127.0.0.1:8000,

$ cargo run
...
 Rocket has launched from https://127.0.0.1:443

First we test that it is working without verifying the hostname (--insecure does not verify the Common Name of the certificate),

$ curl --insecure https://127.0.0.1
Hello, world!

Now we can use curl with --resolve to check that it is working with the correct Common Name,

$ curl --resolve rocket-test.zapto.org:443:127.0.0.1 https://rocket-test.zapto.org
Hello, world!

To test locally with a browser we need the name to resolve to 127.0.0.1 in the browser. We can do that by adding it to the /etc/hosts file. It looks like you're on Windows so the hosts file is at C:\Windows\System32\Drivers\etc\hosts. Create the file if it does not exist and add an entry at the end that looks like this (with your hostname of course),

127.0.0.1  rocket-test.zapto.org

Then I can open my browser to https://rocket-test.zapto.org and it will work.