undefined | Better HN

0 pointsslrz9y ago0 comments

Where do you see the issue? Creating a certificate that no one else has to trust seems pretty easy already.

0 comments

I guess a part of this is inconsistency between development environments as well, but generally speaking, while not completely impossible, the dev user experience is just that bit more fiddly.

For a prod server, the process can be as simple as (Ubuntu/Apache being a common setup):

apt-get install letsencrypt && certbot --apache

Or more generally:

$PKGMGR install certbot && certbot certonly

For dev, you need to either select and install an SSL library, generate snakeoil certs and install them into each vhost you use, and thereafter go through every varying and occasionally unsurpassable browser warnings about unverified certs, OR - much, much more complex - install and maintain a boulder setup.

Given the above, most devs will continue to take the chrome://flags easy way out, which doesn't really allow proper testing of a HTTPS setup locally.

slrzOP9y ago

You could use a tool like easypki that allow you to manage a testing CA, whose root cert you can import into your browser. Maybe use a different browser profile so a compromise of the CA keys would not allow anyone to compromise your banking sessions, too.

https://github.com/google/easypki

But sure, if you're using Let's Encyrpt in production, this won't approximate your production setup in testing.

j / k navigate · click thread line to collapse