search

peterldowns / localias

custom local domain aliases for local dev servers
MIT License
605 stars 3 forks source link

localias run: warning: "certutil" is not available, install "certutil" with "brew install nss" and try again #9

Closed gedw99 closed 1 year ago

gedw99 commented 1 year ago

you can easily import mkcert to do all this, and not need any brew stuff

basically whenever a new domain is added, you run mkcert $(DOMAIN) and it will do all the trick cert trust stuff and gen the cert key and cert pem.

anyway here is the brew problem...

localias run

2023/07/21 11:11:34.192 INFO    admin   admin endpoint started  {"address": "unix//Users/apple/Library/Application Support/localias/caddy.sock", "enforce_origin": false, "origins": [""]}
2023/07/21 11:11:34.202 INFO    tls.cache.maintenance   started background certificate maintenance  {"cache": "0xc000118d20"}
2023/07/21 11:11:34.204 INFO    tls     cleaning storage unit   {"description": "FileStorage:/Users/apple/Library/Application Support/localias/caddy"}
2023/07/21 11:11:34.204 INFO    tls     finished cleaning storage units
2023/07/21 11:11:34.273 WARN    pki.ca.local    installing root certificate (you might be prompted for password)    {"path": "storage:pki/authorities/local/root.crt"}
2023/07/21 11:11:34.381 INFO    warning: "certutil" is not available, install "certutil" with "brew install nss" and try again
peterldowns commented 1 year ago

This warning (and these logs) are all generated by Caddy, which I'm embedding. mkcert would definitely work to generate certificates but I'd rather let Caddy handle it all for me and not have to write that code myself.

Other than the warning log, was there a problem with the proxying behavior? Or is the issue solely that there is a warning log printed?

Also, do you mind telling me what OS you're on, what version of localias you have installed, and how you installed it?

gedw99 commented 1 year ago

I am on Mac, Intel.

latest version off git tree.

I could not proxy because of the error. I did not look more deeply into why it was wanting to install CertUtil.

if you need me to try anything just let me know . Happy to try out things here

gedw99 commented 1 year ago

This is the original of the error:

https://github.com/smallstep/truststore/blob/master/truststore_nss.go

peterldowns commented 1 year ago

I'm sorry, I cannot reproduce this error. When I run localias for the first time on a clean installation, I see the following logs:

❯ localias run
2023/07/21 18:11:04.031 INFO    admin   admin endpoint started  {"address": "unix//Users/pd/Library/Application Support/localias/caddy.sock", "enforce_origin": false, "origins": [""]}
2023/07/21 18:11:04.031 INFO    tls.cache.maintenance   started background certificate maintenance  {"cache": "0x1400020d650"}
2023/07/21 18:11:04.033 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/07/21 18:11:04.033 INFO    http    enabling automatic HTTP->HTTPS redirects    {"server_name": "srv0"}
2023/07/21 18:11:04.047 WARN    pki.ca.local    installing root certificate (you might be prompted for password)    {"path": "storage:pki/authorities/local/root.crt"}
2023/07/21 18:11:04.056 INFO    warning: "certutil" is not available, install "certutil" with "brew install nss" and try again
2023/07/21 18:11:04.056 INFO    define JAVA_HOME environment variable to use the Java trust
Password:
2023/07/21 18:11:16.481 INFO    certificate installed properly in macOS keychain
2023/07/21 18:11:16.498 INFO    tls cleaning storage unit   {"description": "FileStorage:/Users/pd/Library/Application Support/localias/caddy"}
2023/07/21 18:11:16.498 INFO    http    enabling HTTP/3 listener    {"addr": ":443"}
2023/07/21 18:11:16.498 INFO    tls finished cleaning storage units
2023/07/21 18:11:16.499 INFO    http.log    server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/07/21 18:11:16.499 INFO    http.log    server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/07/21 18:11:16.499 INFO    http    enabling automatic TLS certificate management   {"domains": ["test"]}
2023/07/21 18:11:16.499 INFO    tls.obtain  acquiring lock  {"identifier": "test"}
2023/07/21 18:11:16.519 INFO    tls.obtain  lock acquired   {"identifier": "test"}
2023/07/21 18:11:16.519 INFO    tls.obtain  obtaining certificate   {"identifier": "test"}
2023/07/21 18:11:16.520 INFO    tls.obtain  certificate obtained successfully   {"identifier": "test"}
2023/07/21 18:11:16.520 INFO    tls.obtain  releasing lock  {"identifier": "test"}

Notice that I see the same log line as you:

2023/07/21 18:11:04.056 INFO    warning: "certutil" is not available, install "certutil" with "brew install nss" and try again

That log line is just a warning, it does not cause the command to fail. When the command runs I am prompted to enter my admin password to install the root certificate. After doing so, localias continues to run without issue.

I'm not sure what's going wrong for you, can you please tell me:

peterldowns commented 1 year ago

Closing since I cannot reproduce the problem. I will re-open this if there is actually something going wrong that I can reproduce, or others report a similar issue.

hslatman commented 1 year ago

@gedw99 note that mkcert also relies on certutil for NSS truststore support: https://github.com/FiloSottile/mkcert/blob/master/truststore_nss.go#L19. The https://github.com/smallstep/truststore package, which is used by Caddy, is in fact based on mkcert.

A potential improvement could be to rely on the truststore package directly, and to mimick the logic that Caddy executes, before Caddy does its work, just before running the server or starting the daemon. Using a direct call to truststore might also be an option for the debug option to install a root cert in #15.

gedw99 commented 1 year ago

thanks @peterldowns yep agree this is a good way using truststore.