Add support for custom certificate provider (ACME server)

roots / trellis

WordPress LEMP stack with PHP 8.2, Composer, WP-CLI and more

https://roots.io/trellis/

MIT License

2.49k stars 608 forks source link

Add support for custom certificate provider (ACME server) #1298

Open strarsis opened 3 years ago

strarsis commented 3 years ago

[x] I've read the guidelines for Contributing to Roots Projects
[x] This request isn't a duplicate of an existing request
[x] This is not a personal support request that should be posted on the Roots Discourse community

Summary

It would be helpful to add support for custom CA servers (ACME compatible, so basically a LE drop-in replacement).

Motivation

A Trellis local server for local testing should use an existing, private CA (ACME-compatible; smallstep-ca).

Additional context

swalkinshaw commented 3 years ago

This would just be an alternative to how Trellis currently creates a self-signed certificate for local development right? I assume needing a custom CA/ACME server would be very rare for other use cases with Trellis.

swalkinshaw commented 3 years ago

I've actually been working on a refactor of TLS certificates with Trellis using Certbot which step would theoretically work nicely with. But to trust the CA, the tool would have to be run both on your host machine and the VM. Which of course means installing step on both.

While it seems nice to take advantage of certbot and just set a different ACME url in dev, there's also https://github.com/FiloSottile/mkcert which seems simpler overall. Though the same caveat applies, it would have to be installed and run both locally and remotely (which Trellis can help manage).

strarsis commented 3 years ago

I am using the smallstep CA server and my own CA private key / intermediate private key for signing everything locally used (for internal/development use). All devices trust that CA cert so I can centrally manage the trusted certs without creating a mess. That would be the rationale behind this feature: A development/local staging server can sign its cert for HTTPS using the local smallstep CA server.

swalkinshaw commented 2 years ago

@strarsis I believe #1310 which I'm hoping to merge soon should solve this for you?

Although considering your use case, it has pros and cons. It would definitely let you override acme_ca_server with your custom one and then you'd have secure HTTPS in development.

However, right now this will always install smallstep and create a CA locally on the server in development which isn't needed in your case. It's not a huge deal, just slower + inefficient, but I'll see if I can make that optional.

strarsis commented 2 years ago

Yes, the usage of certbot by that PR should make switching the CA URL much easier. When the new PR is merged I can test how easy it would be to use a local CA for a staging Trellis server.

swalkinshaw commented 2 years ago

I improved https://github.com/roots/trellis/pull/1310 so that the local step-ca server won't be installed if a non-local CA server is specified. So in this case, you can just override the variable in development to whatever your CA host is and everything should work as expected 😄