starred/mkcert
1
0
Fork 0
mirror of https://github.com/FiloSottile/mkcert.git synced 2026-04-25 13:36:02 +03:00
Code Issues 165 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #60] How to actually use the certs? #33

New issue
Closed
opened 2026-02-25 22:32:25 +03:00 by kerem · 9 comments
kerem commented 2026-02-25 22:32:25 +03:00
Owner
Copy link

Originally created by @j1elo on GitHub (Aug 15, 2018).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/60

Hi, totally newbie question here. I'm not a web developer and this is the first time I configure self-signed certificates, so bear with me. Also I'd like to propose adding a section in the documentation for people in my situation.

This is what I'm currently doing, step by step command-line style. Server is an Amazon AWS machine with Ubuntu 16.04, in which I'm doing some WebRTC tests; Chrome and Firefox will refuse to allow webcam and microphone access to insecure sites (except for localhost), so I need to serve an HTTPS page from my test server:

# [On DEV] Set up 'mkcert'
curl -o mkcert -L 'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-linux-amd64'
chmod +x mkcert

# [On DEV] Create a CA used for signing certificates, copy it to CLIENTs
sudo apt-get install -y libnss3-tools
./mkcert -install
scp "$(./mkcert -CAROOT)/rootCA.pem" user@${LINUX_CLIENT}:
scp "$(./mkcert -CAROOT)/rootCA.pem" user@${MAC_CLIENT}:

# [On DEV] Create certificate for needed domains, copy it to SERVER
./mkcert '*.compute.amazonaws.com' localhost 127.0.0.1
scp ./_wildcard.compute.amazonaws.com+2.pem     user@${SERVER}:cert.pem
scp ./_wildcard.compute.amazonaws.com+2-key.pem user@${SERVER}:key.pem

# [On SERVER] Start HTTPS server using Node.js
curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
sudo apt-get install -y nodejs
sudo npm install -g http-server
http-server -p 8080 --ssl --cert ~/cert.pem --key ~/key.pem ~/web

# [On LINUX_CLIENT] Set up 'mkcert', install CA
curl -o mkcert -L 'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-linux-amd64'
chmod +x mkcert
sudo apt-get install -y libnss3-tools
CAROOT="$PWD" ./mkcert -install

# [On MAC_CLIENT] Set up 'mkcert', install CA
curl -o mkcert -L 'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-darwin-amd64'
chmod +x mkcertm
brew install nss
CAROOT="$PWD" ./mkcert -install

At this point, I open this URL in Chrome:
https://ec2-11-22-33-44.region.compute.amazonaws.com:8080/

But it still shows a warning page right before loading, and after dismissing the warning, a RED warning with "Not secure" text is shown in the address bar.

What I expected is that Chrome loads the page without any security warnings and with a GREEN lock in the address bar.

What steps I'm missing to make this work as intended?

I wanted to do this because the name that AWS gives your machine depends on the region of that particular machine and it also changes every time the machine starts up, so the best would be to have a certificate that doesn't mind what is the actual name of the subdomain, and be able to use the generated cert in several machines.

---- UPDATE ----

The reason for this problem is that a restriction exists in how the wildcard certificates work by spec, not anything to do specifically with mkcert. It turns out that a wildcard such *.example.com won't match sub-subdomains such as a.b.example.com.

Solution is to use wildcards for only one subdomain level:

# [On DEV] Create certificate for needed domains, copy it to SERVER
./mkcert '*.region.compute.amazonaws.com' localhost 127.0.0.1
scp ./_wildcard.region.compute.amazonaws.com+2.pem     user@${SERVER}:cert.pem
scp ./_wildcard.region.compute.amazonaws.com+2-key.pem user@${SERVER}:key.pem
Originally created by @j1elo on GitHub (Aug 15, 2018). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/60 Hi, totally newbie question here. I'm not a web developer and this is the first time I configure self-signed certificates, so bear with me. Also I'd like to propose adding a section in the documentation for people in my situation. This is what I'm currently doing, step by step command-line style. Server is an Amazon AWS machine with Ubuntu 16.04, in which I'm doing some WebRTC tests; Chrome and Firefox will refuse to allow webcam and microphone access to insecure sites (except for `localhost`), so I need to serve an HTTPS page from my test server: ``` # [On DEV] Set up 'mkcert' curl -o mkcert -L 'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-linux-amd64' chmod +x mkcert # [On DEV] Create a CA used for signing certificates, copy it to CLIENTs sudo apt-get install -y libnss3-tools ./mkcert -install scp "$(./mkcert -CAROOT)/rootCA.pem" user@${LINUX_CLIENT}: scp "$(./mkcert -CAROOT)/rootCA.pem" user@${MAC_CLIENT}: # [On DEV] Create certificate for needed domains, copy it to SERVER ./mkcert '*.compute.amazonaws.com' localhost 127.0.0.1 scp ./_wildcard.compute.amazonaws.com+2.pem user@${SERVER}:cert.pem scp ./_wildcard.compute.amazonaws.com+2-key.pem user@${SERVER}:key.pem # [On SERVER] Start HTTPS server using Node.js curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash - sudo apt-get install -y nodejs sudo npm install -g http-server http-server -p 8080 --ssl --cert ~/cert.pem --key ~/key.pem ~/web # [On LINUX_CLIENT] Set up 'mkcert', install CA curl -o mkcert -L 'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-linux-amd64' chmod +x mkcert sudo apt-get install -y libnss3-tools CAROOT="$PWD" ./mkcert -install # [On MAC_CLIENT] Set up 'mkcert', install CA curl -o mkcert -L 'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-darwin-amd64' chmod +x mkcertm brew install nss CAROOT="$PWD" ./mkcert -install ``` At this point, I open this URL in Chrome: `https://ec2-11-22-33-44.region.compute.amazonaws.com:8080/` But it still shows a warning page right before loading, and after dismissing the warning, a RED warning with "Not secure" text is shown in the address bar. What I expected is that Chrome loads the page without any security warnings and with a GREEN lock in the address bar. What steps I'm missing to make this work as intended? I wanted to do this because the name that AWS gives your machine depends on the region of that particular machine and it also changes every time the machine starts up, so the best would be to have a certificate that doesn't mind what is the actual name of the subdomain, and be able to use the generated cert in several machines. ---- [**UPDATE**](https://github.com/FiloSottile/mkcert/issues/60#issuecomment-413797728) ---- The reason for this problem is that *a restriction exists in how the wildcard certificates work by spec*, not anything to do specifically with mkcert. It turns out that a wildcard such `*.example.com` **won't match sub-subdomains** such as `a.b.example.com`. Solution is to use wildcards for only one subdomain level: ``` # [On DEV] Create certificate for needed domains, copy it to SERVER ./mkcert '*.region.compute.amazonaws.com' localhost 127.0.0.1 scp ./_wildcard.region.compute.amazonaws.com+2.pem user@${SERVER}:cert.pem scp ./_wildcard.region.compute.amazonaws.com+2-key.pem user@${SERVER}:key.pem ```
kerem 2026-02-25 22:32:25 +03:00
  • closed this issue
  • added the
    question
         label
kerem commented 2026-02-25 22:32:26 +03:00
Author
Owner
Copy link

@j1elo commented on GitHub (Aug 15, 2018):

More info:

Chrome says this in its warning screen:

NET::ERR_CERT_COMMON_NAME_INVALID
This server could not prove that it is ec2-11-22-33-44.region.compute.amazonaws.com; its security certificate is from *.compute.amazonaws.com.

And Firefox says something similar:

ec2-11-22-33-44.region.compute.amazonaws.com uses an invalid security certificate.
The certificate is only valid for the following names: *.compute.amazonaws.com, localhost, 127.0.0.1
Error code: SSL_ERROR_BAD_CERT_DOMAIN

Does this mean that it's not possible to create certificates for AnySubdomain.example.com?

<!-- gh-comment-id:413278220 --> @j1elo commented on GitHub (Aug 15, 2018): More info: Chrome says this in its warning screen: ``` NET::ERR_CERT_COMMON_NAME_INVALID This server could not prove that it is ec2-11-22-33-44.region.compute.amazonaws.com; its security certificate is from *.compute.amazonaws.com. ``` And Firefox says something similar: ``` ec2-11-22-33-44.region.compute.amazonaws.com uses an invalid security certificate. The certificate is only valid for the following names: *.compute.amazonaws.com, localhost, 127.0.0.1 Error code: SSL_ERROR_BAD_CERT_DOMAIN ``` Does this mean that it's not possible to create certificates for `AnySubdomain.example.com`?
kerem commented 2026-02-25 22:32:26 +03:00
Author
Owner
Copy link

@nickkaczmarek commented on GitHub (Aug 16, 2018):

I may be misunderstanding this, but since you're hitting your site from the amazonaws.com tld, mkcert won't work for this. You'll probably need to use let's encrypt or something and put that certificate on your aws server. Someone who knows more may have more insight, but that's how I understand this. This might be helpful, https://docs.aws.amazon.com/acm/latest/userguide/setup-website.html

<!-- gh-comment-id:413651486 --> @nickkaczmarek commented on GitHub (Aug 16, 2018): I may be misunderstanding this, but since you're hitting your site from the `amazonaws.com` tld, mkcert won't work for this. You'll probably need to use let's encrypt or something and put that certificate on your aws server. Someone who knows more may have more insight, but that's how I understand this. This might be helpful, https://docs.aws.amazon.com/acm/latest/userguide/setup-website.html
kerem commented 2026-02-25 22:32:26 +03:00
Author
Owner
Copy link

@neoKushan commented on GitHub (Aug 17, 2018):

I don't believe you're using the tool as it was intended, as it's very much aimed at generating certs for local development. For deploying to AWS (or any server, really) you are best looking into something like Let's Encrypt for genuine SSL (or using the SSL cert that the cloud provider usually gives you). I don't know enough about aws to help with this, but there's plenty of documentation out there.

<!-- gh-comment-id:413782205 --> @neoKushan commented on GitHub (Aug 17, 2018): I don't believe you're using the tool as it was intended, as it's very much aimed at generating certs for *local* development. For deploying to AWS (or any server, really) you are best looking into something like Let's Encrypt for genuine SSL (or using the SSL cert that the cloud provider usually gives you). I don't know enough about aws to help with this, but there's plenty of documentation out there.
kerem commented 2026-02-25 22:32:26 +03:00
Author
Owner
Copy link

@j1elo commented on GitHub (Aug 17, 2018):

I see no reason why these certs wouldn't work for external machines; even the README of this project starts by showing how to generate a cert for such one! (example.com)
$ mkcert example.com '*.example.org' myapp.dev localhost 127.0.0.1 ::1

I'm not a web dev and had zero idea of how to configure a certificate, so I just wanted to have a pair of files that can be copied to whatever machine, regardless of it being local or remote, and instantly have a valid HTTPS connection to them... well, that was the objective. Maybe I should have looked into Let's Encrypt for the AWS machine.

In any case, I actually made it work without any further problem whatsoever. The reason for my problem is that a restriction exists in how the wildcard certificates work by spec, not anything to do specifically with mkcert. It turns out that a wildcard such *.example.com won't match sub-subdomains such as a.b.example.com. As simple as that.

So I used mkcert to generate a certificate for *.region.compute.amazonaws.com. Problem solved.

I won't close this issue yet to allow the author see it and consider my proposal of adding a section in the documentation that talks about this use case. @FiloSottile thank you for this tool!

<!-- gh-comment-id:413797728 --> @j1elo commented on GitHub (Aug 17, 2018): I see no reason why these certs wouldn't work for external machines; even the [README](https://github.com/FiloSottile/mkcert/blob/53f1769ab57d2e272477af28d19113e121718839/README.md) of this project starts by showing how to generate a cert for such one! (example.com) `$ mkcert example.com '*.example.org' myapp.dev localhost 127.0.0.1 ::1` I'm not a web dev and had zero idea of how to configure a certificate, so I just wanted to have a pair of files that can be copied to whatever machine, regardless of it being local or remote, and instantly have a valid HTTPS connection to them... well, that was the objective. Maybe I should have looked into Let's Encrypt for the AWS machine. In any case, I actually made it work without any further problem whatsoever. The reason for my problem is that *a restriction exists in how the wildcard certificates work by spec*, not anything to do specifically with mkcert. It turns out that a wildcard such `*.example.com` **won't match sub-subdomains** such as `a.b.example.com`. As simple as that. So I used `mkcert` to generate a certificate for `*.region.compute.amazonaws.com`. Problem solved. I won't close this issue yet to allow the author see it and consider my proposal of adding a section in the documentation that talks about this use case. @FiloSottile thank you for this tool!
kerem commented 2026-02-25 22:32:26 +03:00
Author
Owner
Copy link

@Suleman-Elahi commented on GitHub (Aug 18, 2018):

Same question here.... how to use this.... everytime it says "ERROR: xyz is not a valid hostname or IP"
image

<!-- gh-comment-id:414033298 --> @Suleman-Elahi commented on GitHub (Aug 18, 2018): Same question here.... how to use this.... everytime it says "ERROR: xyz is not a valid hostname or IP" ![image](https://user-images.githubusercontent.com/24384996/44296063-505f7600-a2d4-11e8-96f7-abc3e7a026ea.png)
kerem commented 2026-02-25 22:32:26 +03:00
Author
Owner
Copy link

@nickkaczmarek commented on GitHub (Aug 22, 2018):

@Suleman-Elahi DId you try it with an administrator command prompt?

<!-- gh-comment-id:415219131 --> @nickkaczmarek commented on GitHub (Aug 22, 2018): @Suleman-Elahi DId you try it with an administrator command prompt?
kerem commented 2026-02-25 22:32:26 +03:00
Author
Owner
Copy link

@Suleman-Elahi commented on GitHub (Aug 23, 2018):

Doesn't help

image

<!-- gh-comment-id:415309648 --> @Suleman-Elahi commented on GitHub (Aug 23, 2018): Doesn't help ![image](https://user-images.githubusercontent.com/24384996/44509095-3061f500-a6ce-11e8-8213-93c550fd9233.png)
kerem commented 2026-02-25 22:32:26 +03:00
Author
Owner
Copy link

@j1elo commented on GitHub (Aug 23, 2018):

That error doesn't depend on running with or without Administrator CMD. It happens because a regular expression fails to match.

Note how the error says: ERROR: "'*.example.org'" it is including the single quotes inside the double quotes. Of course, '*.example.org' is an invalid hostname. Try *.example.org without quotes. Or with double quotes. It all depends on how the CMD interpreter treats simple (and double) quotes in call arguments.

That's probably a documentation bug in mkcert. Please handle it in a new issue, and don't derail already existing ones such as this one.

<!-- gh-comment-id:415352403 --> @j1elo commented on GitHub (Aug 23, 2018): That error doesn't depend on running with or without Administrator CMD. It happens because [a regular expression fails to match](https://github.com/FiloSottile/mkcert/blob/060fcce2db48466c3903803e3a42b2689ace1617/main.go#L137). Note how the error says: `ERROR: "'*.example.org'"` it is including the single quotes inside the double quotes. Of course, `'*.example.org'` is an invalid hostname. Try `*.example.org` without quotes. Or with double quotes. It all depends on how the CMD interpreter treats simple (and double) quotes in call arguments. That's probably a documentation bug in mkcert. Please handle it in a new issue, and don't derail already existing ones such as this one.
kerem commented 2026-02-25 22:32:26 +03:00
Author
Owner
Copy link

@Suleman-Elahi commented on GitHub (Aug 23, 2018):

Thank you very much !!!! @j1elo

image

<!-- gh-comment-id:415385149 --> @Suleman-Elahi commented on GitHub (Aug 23, 2018): Thank you very much !!!! @j1elo ![image](https://user-images.githubusercontent.com/24384996/44523467-97e06a80-a6f7-11e8-93b0-92e623a26ee5.png)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
v0.9.1
v0.9.0
Labels
Clear labels   
TLS stack issue

   
Windows

   
bug

   
duplicate

   
duplicate

   
enhancement

   
help wanted

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
root store

   
waiting for info
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mkcert#33
No description provided.