Open strarsis opened 3 years ago
This would just be an alternative to how Trellis currently creates a self-signed certificate for local development right? I assume needing a custom CA/ACME server would be very rare for other use cases with Trellis.
I've actually been working on a refactor of TLS certificates with Trellis using Certbot which step
would theoretically work nicely with. But to trust the CA, the tool would have to be run both on your host machine and the VM. Which of course means installing step on both.
While it seems nice to take advantage of certbot and just set a different ACME url in dev, there's also https://github.com/FiloSottile/mkcert which seems simpler overall. Though the same caveat applies, it would have to be installed and run both locally and remotely (which Trellis can help manage).
I am using the smallstep CA server and my own CA private key / intermediate private key for signing everything locally used (for internal/development use). All devices trust that CA cert so I can centrally manage the trusted certs without creating a mess. That would be the rationale behind this feature: A development/local staging server can sign its cert for HTTPS using the local smallstep CA server.
@strarsis I believe #1310 which I'm hoping to merge soon should solve this for you?
Although considering your use case, it has pros and cons. It would definitely let you override acme_ca_server
with your custom one and then you'd have secure HTTPS in development.
However, right now this will always install smallstep and create a CA locally on the server in development which isn't needed in your case. It's not a huge deal, just slower + inefficient, but I'll see if I can make that optional.
Yes, the usage of certbot
by that PR should make switching the CA URL much easier.
When the new PR is merged I can test how easy it would be to use a local CA for a staging Trellis server.
I improved https://github.com/roots/trellis/pull/1310 so that the local step-ca server won't be installed if a non-local CA server is specified. So in this case, you can just override the variable in development to whatever your CA host is and everything should work as expected 😄
Summary
It would be helpful to add support for custom CA servers (ACME compatible, so basically a LE drop-in replacement).
Motivation
A Trellis local server for local testing should use an existing, private CA (ACME-compatible; smallstep-ca).
Additional context
Related: https://github.com/roots/trellis/issues/893 https://github.com/roots/trellis/issues/1066