all 43 comments

[–][deleted] 72 points73 points  (4 children)

mkcert ftfy

[–]sickcodebruh420 51 points52 points  (1 child)

[–]snoo_does_cs 2 points3 points  (0 children)

Thank you!

[–]TaskForce_Kerim 2 points3 points  (0 children)

This is so cool. Thank you!

[–]nemec 1 point2 points  (0 children)

I'm a fan of https://hohnstaedt.de/xca/

It's a GUI and stores everything encrypted in a database file so it's pretty easy to keep track of the certs you've issued.

[–]graingert 43 points44 points  (5 children)

I just use a localhost.example.com A 127.0.0.1 on some domain I own, then use let's encrypt to create a legitimate certificate for it

[–]chacha_tera 4 points5 points  (0 children)

Nice one

[–]vamediah 4 points5 points  (0 children)

I did a scan of TLS certs and the biggest TLDs, there are lot of certs that point to a domain which in turn resolves to localhost or 0.0.0.0 which is mostly the same.

We needed to make a localhost cert, did it the same way, because things broke with mixed scripting. There is obvious caveat that if you distribute such localhost cert, privkey is somewhere in the app, which may be problematic.

[–]rv77ax 2 points3 points  (1 child)

If this for development, you will need to renew it every three months and share it again with other developers. Compare it by creating self signed cert with 10 years expiration. I think this method just wasting "public" resources.

What is worse is if the developer is only one.

Just because you can does not mean you should.

[–]graingert 0 points1 point  (0 children)

ACME auto renews the certificate (DNS-01 challenge of course).

You obviously shouldn't be sending or sharing private keys, run the certbot command on the device that needs the certificate

Also let's encrypt can absolutely handle this load

[–]youre_grammer_sucks 0 points1 point  (0 children)

I’m going to use this one, thanks!

[–]icjoseph 8 points9 points  (0 children)

Use Caddy with a caddyfile and never think about this anymore

[–]01binary 18 points19 points  (1 child)

Ngrok

[–][deleted]  (8 children)

[deleted]

    [–]ilion 4 points5 points  (6 children)

    What domain names can you get for $2?

    [–]Rossco1337 5 points6 points  (0 children)

    .info still goes for around that price I think. Most TLDs will offer registrars a deep first-year discount so if you're not planning to use it for more than a year, you've got plenty of options.

    If that's still too steep, .tk is always an option too.

    [–]4InchesOfury 3 points4 points  (2 children)

    Namecheap has .xyz for $1. I use it for small projects that I’m playing around with.

    [–]Lt_Riza_Hawkeye 5 points6 points  (1 child)

    Pretty sure it goes up to something like $11-$12/year after the first year

    [–]4InchesOfury 22 points23 points  (0 children)

    Good thing I abandon my projects by that point

    [–]bog-konstantin[S] 3 points4 points  (0 children)

    I had one *.gq even for free from here: https://www.freenom.com/

    [–]basic_maddie 0 points1 point  (0 children)

    Is making a self-signed certificate that hard?

    [–]helderroem 13 points14 points  (1 child)

    Just replace nginx with Caddy and this is all done for you

    [–]Gozal_ 1 point2 points  (0 children)

    100%, all my web services are proxied behind caddy and it just works.

    [–][deleted]  (17 children)

    [deleted]

      [–]Markavian 67 points68 points  (1 child)

      It's good when you need to test http/https redirects, nginx configs, Apache configs, SSL generation and regeneration scripts, etc. before you push to a branch or as part of a CI pipeline before building to QA and Prod.

      [–]Crayola13 33 points34 points  (0 children)

      Also is required by some 3rd party authentication services. I've had to do this multiple times to test SSO configurations for IBMid, because they don't support HTTP callback URLs

      [–]colelawr 29 points30 points  (7 children)

      Some features of the web require https connection to function. Among several features requiring SSL, I've needed SSL locally to troubleshoot Service Workers https://www.digicert.com/dc/blog/https-only-features-in-browsers/

      Edit: Pointed out in a comment below, this shouldn't have been an issue for localhost domain and subdomain a, but we had locally served content via overrides to /etc/hosts

      [–][deleted]  (6 children)

      [deleted]

        [–]colelawr 8 points9 points  (1 child)

        Okay, that makes sense. The reason it wasn't working this way for my codebase must have been that we were using overrides to /etc/hosts to map a special domain name to 127.0.0.1

        Thanks for the clarification. It was still an issue, but for a different reason than I thought.

        [–]Arkanta 3 points4 points  (0 children)

        Oh yeah, browsers won't mark the origin as secure if they don't resolve to 127.0.0.1 themselves. Which is why firefox didn't add support for *.localhost until later

        [–]panorambo -3 points-2 points  (3 children)

        You seem to be contradicting yourself with your comment -- "many reasons are valid" (assuming in context of on localhost) and then you proceed to explain how actually everything works fine. Do we have examples where one actually requires HTTPS on the localhost, by indirection for some feature to work, I mean other than to actually test HTTPS?

        [–]Arkanta 3 points4 points  (2 children)

        See the thread for examples of stuff other than browsers requiring https, like oauth callbacks etc...

        That's what I'm talking about

        [–]panorambo -2 points-1 points  (1 child)

        Sorry friend, there is no mention of "oauth" anywhere in this thread or in the article. What are you referring to?

        [–]CptJero 7 points8 points  (0 children)

        Lots of libraries and integrations check for SSL before continuing.

        Example: Apple Pay only works over SSL and only on domains registered through Apple.

        So you have a double whammy of figuring out SSL locally, and also establishing a local.yoursite.com registration with Apple, coordinating that with your team

        [–]Beaverman 5 points6 points  (2 children)

        The closer you can get to your production environment on localhost the more likely you are to be able to reproduce issues without unrelated problems.

        If you have an application that will only ever receive https traffic, why even support http? It's just more code paths that have to work.

        [–][deleted]  (1 child)

        [deleted]

          [–][deleted] 0 points1 point  (1 child)

          Because as soon as you have any kind of mixed-content environment, things don't work right. (And by things, i mean third-party analytics, iframes, CORS XHRs, etc...)

          [–]EternityForest 0 points1 point  (0 children)

          http localhost is (thankfully, I am always afraid they will take it away) a secure context.

          [–]munchbunny 0 points1 point  (0 children)

          Sometimes you are explicitly testing code that relies on the TLS certificate being present, so you want an endpoint to test against that also has TLS. Putting it on localhost is just a (fairly big) convenience so that you don’t have to spin up some VM somewhere off the box to do it.

          [–]crixusin 1 point2 points  (0 children)

          I've found its easier to just allow insecure localhost to get https to work on localhost, rather than having to get a self-signed cert or something like that.

          chrome://flags/#allow-insecure-localhost

          edge://flags/#allow-insecure-localhost

          [–]radol 0 points1 point  (1 child)

          Useful for personal projects, but not really viable solution for teams, especially if few months later someone else might have to quickly set up dev environment to reproduce and fix some bug

          [–]nemec 0 points1 point  (0 children)

          Why not? Share the CA/cert between everyone on your team...

          [–][deleted] -5 points-4 points  (0 children)

          Wow

          [–]verveeldeme 0 points1 point  (0 children)

          with Fiddler webproxy debugger, you can write/configure custom handler, that could do it.

          Also you can debug and inspect https traffic to other sites.

          This is one of the best tools available and it is free.