Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ACME server #154

Open
sedalu opened this issue Apr 13, 2019 · 8 comments
Open

ACME server #154

sedalu opened this issue Apr 13, 2019 · 8 comments
Labels
enhancement New feature or request

Comments

@sedalu
Copy link

sedalu commented Apr 13, 2019

I would like to use mkcert as an ACME server to automate the process of using it as an internal CA for securing service-to-service http calls. Maybe as a separate program (mkcert-ca?)

@FiloSottile
Copy link
Owner

It's already on the roadmap!

https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/

@FiloSottile FiloSottile added the enhancement New feature or request label Jun 1, 2019
@FiloSottile FiloSottile pinned this issue Jul 6, 2019
@FiloSottile
Copy link
Owner

Given the shorter lifespans enforced by macOS Catalina (see #174), this just became more urgent.

@mdantonio
Copy link

Hello @FiloSottile, can I ask you how the implementation of the ACME server is proceeding?
I'm very interested in this feature to start to use mkcert, that's a great project

@dentarg
Copy link

dentarg commented Nov 17, 2019

Perhaps of interest for mkcert and others following this issue: https://smallstep.com/blog/private-acme-server/, https://github.com/smallstep/certificates

@mholt
Copy link

mholt commented Apr 15, 2020

In case it helps anyone here, we'll be landing the Smallstep ACME server into Caddy 2 soon: caddyserver/caddy#3198 - using it is very simple, just add the acme_server handler to your config. (It can also keep your certificates renewed.)

AFAIK it is not necessary to use an ACME server to use the latest mkcert reliably on macOS. I'm just posting here if anyone searching and finding this issue needs a simple but flexible ACME server.

@David263
Copy link

I'd like to see Let's Encrypt, mkcert, smallstep ACME, and/or some other initiative be extended to work for local development servers mirroring the tens of thousands of websites managed by the WHM and cPanel toolset on Linux.

I manage several websites doing my development work under Windows. I am using the excellent but little-known scheme of creating a virtual domain called dev.example.com (or local.example.com) on the production server. There is no directory for this special domain, and no serving of requests. Instead, the Let's Encrypt private key and certificate pair (here called the certs) for the main domain and its subdomains are manually copied to the local Windows server and serve to support HTTPS access locally to the development websites. Since the dev.example.com subdomain is easily mapped to 127.0.0.1 using the HOSTS file, local HTTPS requests work using dev.example.com (with support for that subdomain in the server configuration) exactly the same as on the corresponding production server (assuming the same server TLS configuration).

The problem with such an approach to local web development is that the certs expire every few months and have to be copied again and again, manually, from the production server to the development server.

What if we had an ACME-like script (available for all relevant programming languages) running on the production and/or development servers that would do this copying automatically whenever WHM performs the automatic Let's Encrypt certs renewals?

Then development work can use HTTPS just as universally and easily as production servers.

What is the advantage of doing this? The advantage is that security bugs are less likely to happen because developers get used to TLS access even during development. They will see cross-domain problems during testing even if they have not configured security tools like CSP to detect them.

Let's make the Web completely secure, easily and freely! Let's support eternal HTTPS on development servers (and eventually throughout the entire DNS system as well)!

@David263
Copy link

Does mkcert for local development work currently function under Windows Home and the Apache Server? The examples seem to be for linux. What do you think about my cPanel support proposal?

@FiloSottile FiloSottile unpinned this issue Oct 25, 2020
@polarathene
Copy link

Instead, the Let's Encrypt private key and certificate pair (here called the certs) for the main domain and its subdomains are manually copied to the local Windows server and serve to support HTTPS access locally to the development websites.

The problem with such an approach to local web development is that the certs expire every few months and have to be copied again and again, manually, from the production server to the development server.

Setup some automated sync process, schedule that. Shouldn't be too difficult to setup and re-use as you see fit?

That has little to do with mkcert though? Are you just using mkcert to install the certificate locally easily?


What if we had an ACME-like script (available for all relevant programming languages) running on the production and/or development servers that would do this copying automatically whenever WHM performs the automatic Let's Encrypt certs renewals?

Give smallstep a go, it's not that intimidating or difficult as it might initially sound. They have great docs/blog articles to walk you through the process. I don't have experience with WHM/cPanel stuff, but if you can use Docker (I don't recall it being too difficult to get running), smallstep makes a nice personal ACME server. I don't see that helping your approach at all though.

Use mkcert to generate local certificates, they'll be good for quite a while (10 years I think?), it'll add the certificate to the trust store. If you're only dealing with several websites, this would be the least amount of effort and complexity for you.

Instead of Apache, perhaps look into Caddy, it'll automate all this for you. Just setup the domains you want to use locally for development in the Caddy config, tell Caddy to only use localcerts instead of LetsEncrypt(default), and it will create a root CA certificate and install that into your OS trust store, daily certs will be generated and renewed from that root(10 years, technically there's a weekly renewed intermediate CA cert inbetween too). They have a friendly community for support, should you want to try that and have any questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

7 participants