ACME server

[sedalu]

I would like to use mkcert as an ACME server to automate the process of using it as an internal CA for securing service-to-service http calls. Maybe as a separate program (mkcert-ca?)

[FiloSottile]

It's already on the roadmap!

https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/

[FiloSottile]

Given the shorter lifespans enforced by macOS Catalina (see #174), this just became more urgent.

[mdantonio]

Hello @FiloSottile, can I ask you how the implementation of the ACME server is proceeding? I'm very interested in this feature to start to use mkcert, that's a great project

[dentarg]

Perhaps of interest for mkcert and others following this issue: https://smallstep.com/blog/private-acme-server/, https://github.com/smallstep/certificates

[mholt]

In case it helps anyone here, we'll be landing the Smallstep ACME server into Caddy 2 soon: https://github.com/caddyserver/caddy/pull/3198 - using it is very simple, just add the acme_server handler to your config. (It can also keep your certificates renewed.)

AFAIK it is not necessary to use an ACME server to use the latest mkcert reliably on macOS. I'm just posting here if anyone searching and finding this issue needs a simple but flexible ACME server.

[David263]

I'd like to see Let's Encrypt, mkcert, smallstep ACME, and/or some other initiative be extended to work for local development servers mirroring the tens of thousands of websites managed by the WHM and cPanel toolset on Linux.

I manage several websites doing my development work under Windows. I am using the excellent but little-known scheme of creating a virtual domain called dev.example.com (or local.example.com) on the production server. There is no directory for this special domain, and no serving of requests. Instead, the Let's Encrypt private key and certificate pair (here called the certs) for the main domain and its subdomains are manually copied to the local Windows server and serve to support HTTPS access locally to the development websites. Since the dev.example.com subdomain is easily mapped to 127.0.0.1 using the HOSTS file, local HTTPS requests work using dev.example.com (with support for that subdomain in the server configuration) exactly the same as on the corresponding production server (assuming the same server TLS configuration).

The problem with such an approach to local web development is that the certs expire every few months and have to be copied again and again, manually, from the production server to the development server.

What if we had an ACME-like script (available for all relevant programming languages) running on the production and/or development servers that would do this copying automatically whenever WHM performs the automatic Let's Encrypt certs renewals?

Then development work can use HTTPS just as universally and easily as production servers.

What is the advantage of doing this? The advantage is that security bugs are less likely to happen because developers get used to TLS access even during development. They will see cross-domain problems during testing even if they have not configured security tools like CSP to detect them.

Let's make the Web completely secure, easily and freely! Let's support eternal HTTPS on development servers (and eventually throughout the entire DNS system as well)!

[David263]

Does mkcert for local development work currently function under Windows Home and the Apache Server? The examples seem to be for linux. What do you think about my cPanel support proposal?

[polarathene]

Instead, the Let's Encrypt private key and certificate pair (here called the certs) for the main domain and its subdomains are manually copied to the local Windows server and serve to support HTTPS access locally to the development websites.

The problem with such an approach to local web development is that the certs expire every few months and have to be copied again and again, manually, from the production server to the development server.

Setup some automated sync process, schedule that. Shouldn't be too difficult to setup and re-use as you see fit?

That has little to do with mkcert though? Are you just using mkcert to install the certificate locally easily?

---

What if we had an ACME-like script (available for all relevant programming languages) running on the production and/or development servers that would do this copying automatically whenever WHM performs the automatic Let's Encrypt certs renewals?

Give smallstep a go, it's not that intimidating or difficult as it might initially sound. They have great docs/blog articles to walk you through the process. I don't have experience with WHM/cPanel stuff, but if you can use Docker (I don't recall it being too difficult to get running), smallstep makes a nice personal ACME server. I don't see that helping your approach at all though.

Use mkcert to generate local certificates, they'll be good for quite a while (10 years I think?), it'll add the certificate to the trust store. If you're only dealing with several websites, this would be the least amount of effort and complexity for you.

Instead of Apache, perhaps look into Caddy, it'll automate all this for you. Just setup the domains you want to use locally for development in the Caddy config, tell Caddy to only use localcerts instead of LetsEncrypt(default), and it will create a root CA certificate and install that into your OS trust store, daily certs will be generated and renewed from that root(10 years, technically there's a weekly renewed intermediate CA cert inbetween too). They have a friendly community for support, should you want to try that and have any questions.