Open asvishnyakov opened 1 month ago
Use case is pretty simple: I need to open my site (running on developer machine) on other devices such as phone for testing or demo purposes
Assuming we have included a LAN IP (like 192.168.1.200
) in the https cert, what makes your phone trust that certificate? The cert doesn't match a CA that is trusted by the phone, right?
@tmds If we don't have an IP address in the cert then it will never be trusted by the phone, even if I manually tap to "continue" it will show error in the address bar and error on the main screen next time I'll return to the page. But if I include IP address, then I can just import generated CA certificate to the phone and never see these errors again.
then I can just import generated CA certificate
I see. So, you accept the CA cert, and then the phone accepts the cert for that IP. And with the current self-signed cert, your phone does not allow you to accept it to be valid for that local network ip?
I'm ok with adding some options to the install
command that enable this use-case.
Something like:
--add-local-ips
--add-ip <ip>
--add-name <dns-name>
How does that sound?
@tmds Basically with current configuration phone certificate isn't valid because localhost
isn't IP address from which I open my site, yes.
Yeah, option sounds great for me. I'll do IP when I'll have free time.
@tmds As you asked on #31:
Use case is pretty simple: I need to open my site (running on developer machine) on other devices such as phone for testing or demo purposes
In this case I can't use localhost or loopback IP address as (obviously) they will point to phone (device) itself, instead of my dev machine. And if I'll try to open site using my dev machine IP address I'll get an error about certificate subject and site hostname mismatch.
You mentioned security impact. I'll agree with you on that and propose restriction (opt-out feature?) to use only local network addressess (i.e. 10. or 192.168.)