cancel
Showing results for 
Search instead for 
Did you mean: 

Is SSL required for localhost development and testing?

I've found a few threads that skimmed this question, but no direct question and answer.

 

Is there a way to develop and test an Accept.js integration on my local machine with the sandbox without an SSL certificate?

dustin1
Contributor
1 ACCEPTED SOLUTION

Accepted Solutions

Hi @dustin1,

 

I can confirm that the page calling the Accept.js script does need to be served from a server supporting a secure connection. If you're testing locally, that means that the server you're running on your machine needs to support https, although you don't have to have a domain certificate to do that (as Lilith points out).

 

The Accept.js documentation does list the error message: 

E_WC_02A HTTPS connection is required.The page on which you’re including Accept.js must be served over an HTTPS connection.

 

However, it's not explicit in the documentation that you'll get that error message anytime that page is served insecurely, so it's not clear to the reader if this error message is listed as just a possible thing you might see depending on situation.

 

I'm making a note to put an explicit mention of the requirement on this page to avoid future confusion. Hope that helps!

View solution in original post

35 REPLIES 35

@dustin1 You do not need a certificate for your domain, unless you're accepting inbound connections that need to be secure.

Using Accept.js, you'd be connecting outbound, to our servers, which have a full TLS 1.2 setup, and you don't need a domain certificate for that.

Make sure your platform adequately supports creating outbound TLS 1.2 connections, and you should be fine.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
Lilith
Administrator Administrator
Administrator

Ah, sorry. I assumed everything was web based when I posted my comment.

 

What I'm asking is whether I can develop and test locally without enabling my apache web server to use ssl certificates, so I can test with a http://localhost/ domain.

 

It sounds like you are saying that is not possible, and I need to set up https:// on my local machine for testing Accept.js.

 

Thanks,

-Dustin

Oops, I don't know if I need to include @Lilith to make sure you received my response. :)

@dustin1 Sorry if my response wasn't clear. Let me try rephrasing a bit.

You would only need HTTPS for securing inbound connections for your server.

Since you're making outbound connections to us via HTTPS, you don't need a domain certificate. Those outbound connections depend on our domain certificate, and doesn't depend on you having one.

Domain certificates are used so connections can validate who they're connecting to. They aren't used to confirm where the connection is coming from.

Does that help?


As for @ replies, it's not required, but it's helpful. :)

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

@Lilith Thanks. Almost there!

 

You said, "Since you're making outbound connections to us via HTTPS, you don't need a domain certificate."

 

My question: How do I test and develop without HTTPS?

 

Thanks,

-Dustin

@dustin1 You have to use HTTPS to secure the connection. However, you don't need to set up a domain certificate.

Using HTTPS for an API call doesn't require your site to have a domain certificate, or a working "https://" URL. There is absolutely no requirement that you secure inbound connections to your site.

 

It does require your server to have CA certificates and the setup necessary to validate our domain certificate, as the outbound API connection needs to be secured.

If you're using a Windows-based server with .NET methods, you'd use SChannel, just like IE does, to make the connection. (Disclaimer, I'm not a .NET developer, but the methods to create HTTPS connections should be baked-in.)

If you're using *NIX, you would need to use a SSL/TLS library like OpenSSL, so your solution could connect to secure URLs.

Java has its own SSL/TLS methods baked into the JRE.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

Hi,

 

I don't think that is correct. Here's an example I'm using:

 

https://hastebin.com/rehusoluji.xml

 

When I press Pay.

 

I get this error in my console

 

AcceptCore.js:1 An HTTPs connection is required to secure delivery of payment information.
e @ AcceptCore.js:1
(index):33 ADN Error :: E_WC_02:A HTTPS connection is required.

 

 

I'll note, when I use https://localhost/ it works and when I use http://localhost/ it fails.

 

Therefore, I don't think there's a way to test and develop locally without https.

Can you connect to any secure sites from your server?

--
"Move fast and break things," out. "Move carefully and fix what you break," in.