search

tmds / linux-dev-certs

50 stars 8 forks source link

Allow to use certificates when open site from other devices #34

Open asvishnyakov opened 1 month ago

asvishnyakov commented 1 month ago

@tmds As you asked on #31:

Use case is pretty simple: I need to open my site (running on developer machine) on other devices such as phone for testing or demo purposes

In this case I can't use localhost or loopback IP address as (obviously) they will point to phone (device) itself, instead of my dev machine. And if I'll try to open site using my dev machine IP address I'll get an error about certificate subject and site hostname mismatch.

You mentioned security impact. I'll agree with you on that and propose restriction (opt-out feature?) to use only local network addressess (i.e. 10. or 192.168.)

tmds commented 1 month ago

Use case is pretty simple: I need to open my site (running on developer machine) on other devices such as phone for testing or demo purposes

Assuming we have included a LAN IP (like 192.168.1.200) in the https cert, what makes your phone trust that certificate? The cert doesn't match a CA that is trusted by the phone, right?

asvishnyakov commented 1 month ago

@tmds If we don't have an IP address in the cert then it will never be trusted by the phone, even if I manually tap to "continue" it will show error in the address bar and error on the main screen next time I'll return to the page. But if I include IP address, then I can just import generated CA certificate to the phone and never see these errors again.

tmds commented 4 weeks ago

then I can just import generated CA certificate

I see. So, you accept the CA cert, and then the phone accepts the cert for that IP. And with the current self-signed cert, your phone does not allow you to accept it to be valid for that local network ip?

I'm ok with adding some options to the install command that enable this use-case.

Something like:

--add-local-ips
--add-ip <ip>
--add-name <dns-name>

How does that sound?

asvishnyakov commented 3 weeks ago

@tmds Basically with current configuration phone certificate isn't valid because localhost isn't IP address from which I open my site, yes.

Yeah, option sounds great for me. I'll do IP when I'll have free time.