krotik
commented
3 years ago Hey there, thanks for the idea. I think I would rather not take decisions for end users where security certificates are concerned. It is possible to use EliasDB without doing anything. However, the user is then warned that the current state is not ok for long term use. I think this is in the moment a good balance between usability and encouragement to research.
Taking a decision here might put some users at risk as it might not be right for them (and they might not know it). Like the big warning in the browser, sometimes it is better to nudge users to research for themselves and take an informed decision.
I would be all for making the current documentation of EliasDB more clear or give some hints. The addition would need some careful balance in terms of text length and long-term correctness (e.g. links not getting outdated).
gedw99
We can create Certs that are trusted in all browsers for local development.
It will make development easier i think and lead to less false positives like:
For Dev environment ...
https://github.com/FiloSottile/mkcert
It is golang and so can be imported or just used independently.
I just hit a problem with running tutorial from the examples dir ( not dist) to do with TLS trust. mkcert is nice because the many browsers trust the dev server, and so you don't get any false positives and other weird stuff.
As an aside, Its important to also turn this off for Prod, since normally the Proxy Server or whatever you use will do this for you.
For Prod environment ...
It might be useful to add LetEncrypt that caddy uses ?
I see two options here:
The durable storage of the Certs is also a consideration, because you want all instances in the cluster to share the same Cert.
More info here: https://caddy.community/t/where-does-caddy-keep-their-certificates/4728 Same goes for local Dev too, in that you want the Certs stored globally for all instances.