Comments (24)
mikeselander
commented on May 29, 2024
1
I'm also now running against this on a separate client from Than. Both of his requests would be exceedingly helpful if we can't setup the certificates correctly automatically.
from altis-local-server.
rmccue
commented on May 29, 2024
1
Caddy's is powered by smallstep under the hood; related Chassis discussion: Chassis/chassis_openssl#15 (comment)
from altis-local-server.
jennybeaumont
commented on May 29, 2024
1
It was determined that this isn't technically possible.
from altis-local-server.
rmccue
commented on May 29, 2024
1
mkcert is not really programmatically usable, that's part of the reason I hadn't dug into it further for Chassis. And Smallstep is what's used inside Caddy I believe.
from altis-local-server.
roborourke
commented on May 29, 2024
Marking this as future release because it's literally impossible with a single certificate. This would require significant amount of work to change to either generating self signed certs and adding those programmatically to a trusted store as per local-chassis or building out some sort of service that updates the altis.dev DNS records on demand for provisioning certs with LetsEncrypt.
from altis-local-server.
goldenapples
commented on May 29, 2024
I'm running up against this right now, and would love to see one of the following:
- instructions for generating a self-signed certificate and configuring it to be used within altis-local-server-nginx.
- the ability to run local-server with HSTS disabled.
from altis-local-server.
nathanielks
commented on May 29, 2024
I don't have time to read this now, but i want to leave this for my future self: https://www.smarthomebeginner.com/traefik-2-docker-tutorial/
from altis-local-server.
nathanielks
commented on May 29, 2024
Also making note that Caddy 2 might be a good replacement as it can manage/generate TLS certificates: https://caddyserver.com/v2
from altis-local-server.
nathanielks
commented on May 29, 2024
TL;DR: they generate their own trusted CA locally: https://caddyserver.com/docs/automatic-https#local-https
from altis-local-server.
jennybeaumont
commented on May 29, 2024
Closing in favor of #151
from altis-local-server.
roborourke
commented on May 29, 2024
For anyone googling this - a short term workaround if you're using Google Chrome is to type thisisunsafe on the HTTPS warning screen you get when navigating to a sub-sub domain of altis.dev
from altis-local-server.
nathanielks
commented on May 29, 2024
Without context, I don't see #151 solving this issue. Is there more context that can be added?
from altis-local-server.
nathanielks
commented on May 29, 2024
FWIW I do think this is technically possible. When spinning up local-server, we know what the second star is in the url (*.<project name>.altis.dev). Now it's a matter of enabling SSL certificate creation when the project is started up creating a wildcard certificate for *.<project name>.altis.dev.
from altis-local-server.
roborourke
commented on May 29, 2024
#151 hints at being able to choose the URL local server runs on, i.e. moving away from the altis.dev requirement. Maybe technically possible but very difficult and not something there's really been a strong will for anyone to dive into so far. If we can make SSL work *.<project>.altis.dev then presumably we can use that same solution for providing SSL for any desired local URL.
from altis-local-server.
nathanielks
commented on May 29, 2024
TL;DR: I've done some messing around this evening and this definitely appears possible with Traefik v2 and tools like mkcert. Traefik v2 allows for dynamic configuration updates, meaning the proxy can be running and dynamically add new SSL certificates. Upgrading to Traefik v2 changes a good bit of how are configured, but I'd say it's within the realm of feasability, though requiring more than the 2 hours or so I've put looking into it 🙂
from altis-local-server.
nathanielks
commented on May 29, 2024
The other TL;DR is composer local-server up would create SSL certificates if they don't exist, place them in a folder Traefik has mounted as a volume, and manage a file Traefik would read for configuring itself with the SSL certificates.
from altis-local-server.
jennybeaumont
commented on May 29, 2024
Shall we reopen? Does this deliver value? Do we have a clear path forward?
from altis-local-server.
roborourke
commented on May 29, 2024
I think we more or less ruled out mkcert as it can’t be bundled with this package neatly. @rmccue mentioned using Caddy but I’ve not really managed to grok how to use it yet.
There is value in this I just thought we’d take a different approach. I’ll reopen.
from altis-local-server.
nathanielks
commented on May 29, 2024
I had similar issues with Caddy. I started with that first last night. It worked great for anything localhost/127.0.0.1, but DNS addresses it attempts to use Let's Encrypt to generate a certificate (even if the address resolves to localhost).
For mkcert, we could wrap the CLI like we do docker-compose, I reckon. I'm not dedicated to mkcert, either. I'm curious about Smallstep's tool, too, but didn't mess around with it at all.
from altis-local-server.
nathanielks
commented on May 29, 2024
All that to say, whenever this gets reprioritized, a spike to play around with what options we have available would be good 😀
from altis-local-server.
joehoyle
commented on May 29, 2024
Not sure if it's mentioned here, but it's not possible to use self-signed certs on *.dev domains. It's also not possible to get a cert signed for *.*.altis.dev as far as I know (SSLMate were not able to, and said it's not supported by the spec)
from altis-local-server.
sivanovhm
commented on May 29, 2024
Based on RFC6125, my understanding is that only a single level of wildcard domain can be used. (I am assuming the same would be valid for self-signed certs as well).
In other words, if dev names are structured <projectname>.altis.dev, the correct way to proceed is to have one certificate for every project which contains both *.<projectname>.altis.dev and <projectname>.altis.dev.
That said, *.*.altis.dev should not work. Even if we manage to issue them, I don't think clients (browsers, curl, etc) would consider them as valid.
I'm totally unaware of how everything is packaged, yet, but from the tip of my head came the following idea:
certbot docker image + configured hook to a script to automatically add the needed records for validation. I haven't used it before but It looks like a possible approach. That is if I am not totally out of context due to missing knowledge regarding our platform. An example of what I described can be found here
from altis-local-server.
roborourke
commented on May 29, 2024
@sivanovhm youre quite right it’s not possible. Certbot has been tricky to get working in my early efforts so I’m thinking that commands to wrap the mkcert program is the way to go
from altis-local-server.
roborourke
commented on May 29, 2024
Regarding .altis.dev we ship a cert with local server and have the DNS for *.altis.dev pointing to localhost
from altis-local-server.
Related Issues (20)
- docker compose should be docker-compose HOT 2
- Root certificate installation issues HOT 2
- composer server ssl install CLI does not install the root certificate if mckert is already installed HOT 1
- SSL Troubleshooting
- Warnings/error output when mkcert isn't installed on the system
- Update altis-local-server nginx image HOT 2
- `logs` command doesn't handle errors
- `composer server logs php` does not work
- Add support for PHP8.2 HOT 2
- Kibana throws 500 error on a new install HOT 5
- Bump nginx docker image to 3.5.2 HOT 1
- SSL cert should be removed now it is now longer used.
- Sometimes S3 Bucket doesn't get created
- PHP images version should be up to date with infrastructure version
- COMPOSE_PROJECT_NAME is set incorrectly in shell
- A fresh Altis installation consistently fails on first `server start` HOT 2
- A first proper start up of local server throws some ES errors
- WP-CLI cannot write to its own cache directory HOT 1
- MySQL 8.0 support
- Add favicon
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from altis-local-server.