Send push notification from a internal server

1. Background

   I have a smart home application written in java and spring. It runs from a raspberrypi inside my home network 192.168.x.x. For security reasons I do not want to control it from internet.

2. What I have

   A web application consist of web pages and some apis. I can open the web page on my phone, tablet, or laptop to view status (e.g. room temperature) and send command (e.g. start heating).

3. What I want

   I want the server can send push notification to my web client even the page is not open.

4. What I have tried

   I was trying to make the web page a PWA and running from a https site, then connect to the server locally. However the Mixed Content policy of PWA prevented this. I was trying to make my local server https. However since it running on a private ip address thus can't get a valid ssl certificate.

I don't want to write a native application because I need to write it for android, iOS and macOs and windows, that is a nightmare to maintain.

So what option I can have? TIA.

I will start posting this as an answer as it will get far too in depth for a comment...

When dealing with a faux certificate and a domain, the issue of the DNS resolution of a domain and certificate validity is completely under your control. As long as you control all the systems.

You can short out your domain lookup to a specific address, buy modifying host file as such...

Now your client computer will think service.foo.com is actually the LAN (Or wan if you have a static IP or dynamic DNS and port it through router/firewall) IP of your server. In your Pi it would be at /etc/hosts

It does not have to be a domain you own or exists, but it is best to choose something random that does not exist to avoid confusion.

Now the client thinks that domain IS that IP, as certainly as it had looked it up in a public or private DNS server. Opening a browser and going to that URL will resolve to your server, and if there is something there to accept it, will load just like any other page.

Next problem is that the certificate now has to match what the domain reports to be.

You can cut a self signed certificate as follows.

Make a text file named req.conf (Arbitrary name but must match in command line below)

And populate it as so, substituting your own values, then save.

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = CA
L = Beverly Hills
O = MyCompany
OU = IT
CN = SERVICE.FOO.COM
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = SERVICE.FOO.COM

Then you need to cut the keypair using openssl

Make the keypair (Follow the prompts, they are logical...):

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout cert.pem -out cert.pem -config req.conf -extensions 'v3_req'

Convert to PFX if needed anywhere as PFX not PEM format, not sure in your case, but either way you now have crt/key, PFX, and PEM versions, so you are loaded for bear:

openssl pkcs12 -export -out cert.pfx -in cert.pem

Verify details of the certificate are correct for sanity:

openssl x509 -in cert.pem -noout -text

From here you have the key to bind on the web server according to whatever instructions your web server uses. You can verify that by loading a page on it as HTTPS... It should complain that the cert is invalid, but this step is just to make sure it is being served.

Note: if you server has no browser accessible pages, you can use opeenssl again to check certificate as such:

 openssl s_client -connect service.foo.com:443

Of course with your port if not on 443. This will connect and return all the cert details which should match what you saw above.

IF all is well to this point, now all you have to do is tell your client to trust the certificate (Register in local certificate store, so it never asks the real world public CA to validate the cert.)

Rather than type it all, a good set of instructions are here...

Windows: https://support.kaspersky.com/CyberTrace/1.0/en-US/174127.htm

Linux: https://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list

From that point forward the whole chain from where is my domain to who is my domain, to is my domain trusted, all should work on local authority, not anything relating to the real world DNS/CA system...

This could be done with a domain DNS server and domain CA in network as well, such as Microsoft Active Directory, but if you do not have one, it is overkill for a development lab when the above should suffice.

Disclaimer: All that said, though this DOES provide a work around I would never suggest adopting this model for production or public use. Labs and internal/personal external systems only. IT is just to demonstrate it CAN be done, and once all tested and deployed for any other use, you should follow the established standards for HTTPS security! ;)

That is why I refer to the public DNS and CA systems as implied trust models, you are really only saying I trust that guy because I trust this guy and he says the other guy is OK. It only works if the people you trust to validate other people are people you can trust! IN this case, you are only trusting yourself. :-)