mirror of
https://github.com/FiloSottile/mkcert.git
synced 2026-04-25 05:26:03 +03:00
[GH-ISSUE #154] ACME server #96
Labels
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/mkcert#96
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @sedalu on GitHub (Apr 13, 2019).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/154
I would like to use
mkcertas an ACME server to automate the process of using it as an internal CA for securing service-to-service http calls. Maybe as a separate program (mkcert-ca?)@FiloSottile commented on GitHub (Apr 13, 2019):
It's already on the roadmap!
https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/
@FiloSottile commented on GitHub (Jul 6, 2019):
Given the shorter lifespans enforced by macOS Catalina (see #174), this just became more urgent.
@mdantonio commented on GitHub (Oct 11, 2019):
Hello @FiloSottile, can I ask you how the implementation of the ACME server is proceeding?
I'm very interested in this feature to start to use mkcert, that's a great project
@dentarg commented on GitHub (Nov 17, 2019):
Perhaps of interest for mkcert and others following this issue: https://smallstep.com/blog/private-acme-server/, https://github.com/smallstep/certificates
@mholt commented on GitHub (Apr 15, 2020):
In case it helps anyone here, we'll be landing the Smallstep ACME server into Caddy 2 soon: https://github.com/caddyserver/caddy/pull/3198 - using it is very simple, just add the
acme_serverhandler to your config. (It can also keep your certificates renewed.)AFAIK it is not necessary to use an ACME server to use the latest mkcert reliably on macOS. I'm just posting here if anyone searching and finding this issue needs a simple but flexible ACME server.
@David263 commented on GitHub (Oct 25, 2020):
I'd like to see Let's Encrypt, mkcert, smallstep ACME, and/or some other initiative be extended to work for local development servers mirroring the tens of thousands of websites managed by the WHM and cPanel toolset on Linux.
I manage several websites doing my development work under Windows. I am using the excellent but little-known scheme of creating a virtual domain called dev.example.com (or local.example.com) on the production server. There is no directory for this special domain, and no serving of requests. Instead, the Let's Encrypt private key and certificate pair (here called the certs) for the main domain and its subdomains are manually copied to the local Windows server and serve to support HTTPS access locally to the development websites. Since the dev.example.com subdomain is easily mapped to 127.0.0.1 using the HOSTS file, local HTTPS requests work using dev.example.com (with support for that subdomain in the server configuration) exactly the same as on the corresponding production server (assuming the same server TLS configuration).
The problem with such an approach to local web development is that the certs expire every few months and have to be copied again and again, manually, from the production server to the development server.
What if we had an ACME-like script (available for all relevant programming languages) running on the production and/or development servers that would do this copying automatically whenever WHM performs the automatic Let's Encrypt certs renewals?
Then development work can use HTTPS just as universally and easily as production servers.
What is the advantage of doing this? The advantage is that security bugs are less likely to happen because developers get used to TLS access even during development. They will see cross-domain problems during testing even if they have not configured security tools like CSP to detect them.
Let's make the Web completely secure, easily and freely! Let's support eternal HTTPS on development servers (and eventually throughout the entire DNS system as well)!
@David263 commented on GitHub (Oct 25, 2020):
Does mkcert for local development work currently function under Windows Home and the Apache Server? The examples seem to be for linux. What do you think about my cPanel support proposal?
@polarathene commented on GitHub (Oct 25, 2020):
Setup some automated sync process, schedule that. Shouldn't be too difficult to setup and re-use as you see fit?
That has little to do with mkcert though? Are you just using mkcert to install the certificate locally easily?
Give smallstep a go, it's not that intimidating or difficult as it might initially sound. They have great docs/blog articles to walk you through the process. I don't have experience with WHM/cPanel stuff, but if you can use Docker (I don't recall it being too difficult to get running), smallstep makes a nice personal ACME server. I don't see that helping your approach at all though.
Use mkcert to generate local certificates, they'll be good for quite a while (10 years I think?), it'll add the certificate to the trust store. If you're only dealing with several websites, this would be the least amount of effort and complexity for you.
Instead of Apache, perhaps look into Caddy, it'll automate all this for you. Just setup the domains you want to use locally for development in the Caddy config, tell Caddy to only use localcerts instead of LetsEncrypt(default), and it will create a root CA certificate and install that into your OS trust store, daily certs will be generated and renewed from that root(10 years, technically there's a weekly renewed intermediate CA cert inbetween too). They have a friendly community for support, should you want to try that and have any questions.