-
Notifications
You must be signed in to change notification settings - Fork 83
Use devcert or similar strategy for for ssl certificate generation #16
Comments
Thanks for the issue 🍺
|
Hey, devcert author here, just chiming in that it's the next thing up on my OSS todo list. There's a few changes that needed to happen to make sure we are doing things securely, and testing is a bit of a bear (as you might imagine). Thanks for everyone's patience (especially @shellscape's) while I work through these issues. Hopefully we can close this out soon! |
Hey all, I'm in unfamiliar waters here so apologies in advanced for the naive noob question: what's preventing this project from just having an |
@rubencodes you could, but you browser wouldn’t trust that certificate, so you’d see annoying warning pages where your browser tells you “This isn’t safe, I don’t know whoever made this certificate”. To avoid that, you need to tell the browser to trust the certificate you generate, which requires sudo/admin level privileges (as it should). That process of telling the browser to trust a certificate also varies across platform and browser. Devcert is a library that manages all that for you, so you can just say “give me a trusted certificate” and it will do the legwork of promoting the user for permission and updating the various browser and OS level trust stores. So, you’re on the right track, but it’s slightly more complicated in the “under-the-hood” part ;) |
@rubencodes the complexities that come with an under-the-hood approach make it undesirable.
|
@davewasmer @shellscape Gotcha, great answers all around! Thanks! These days switching a production website over to HTTPS can be as simple as checking a checkbox or running a single command (i.e. complexities hidden away from the end-user), so I was just curious if there was a way to do this with our local dev servers as well. Totally makes sense not to take the kitchen-sink approach, though. |
@rubencodes even in that flip-the-switch scenario, there's a cert somewhere. |
@rubencodes - One of the issues with auto-generated HTTPS certs comes into play when trying to connect to a backend via HTTPS ( You need the certs to match ) & auto-generated SSL certs across repos sounds tedious. Add selfsigned lib
Top level directory for certs
Add package.json script
Ignore generated certs in .gitignore
Add
|
@d3viant0ne if I understand your post correctly, I think the biggest difference between |
I'm adding documentation today to point users to |
This issue is for a:
Expected Behavior
Generated certificate only needs to be trusted once instead of the current process from webpack-dev-server of having to go to Advanced and Proceed (unsafe) every time a new cert is generated.
This was discussed on webpack-dev-server as a suggested change for 3.x (which I now believe has morphed into this project)
Actual Behavior
No certs generated (at least that I can see in the current code, so this is up for discussion.
New Feature Use Case
Make sure everyone uses local SSL for development!
The text was updated successfully, but these errors were encountered: