DEV Community

Ivan Starkov
Ivan Starkov

Posted on

Fast and easy way to setup web developer certificates

Modern days having that cookies auth etc depends on https we need to have https local web environment.

Before to generate local certificates I used minica.

The main issue that you need a big readme for osx, linux and windows users, how to regenerate keys,
how to add minica certificate to Keychain, how to change hosts file.

Having that we use vscode remote for development it was 2x more work to register all that keys on local and remote machines.

The solution below doesnt need any setup from developers.

Solution in short

Register on DNS provider A records for development like:

A blabla.devdomain.com 127.0.0.1

Then using letsencrypt certbot for your provider just generate needed certificates.

They are already trusted and the only issue is 3 month expiration period, what can be easily fixed with cron.

Full solution.

In our case we use cloudflare as DNS.
Generation certificates for few domains on cloudflare looks:

Create cloudflare API token https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys#12345680

TF_VAR_CLOUDFLARE_API_KEY={YOURAPITOKEN}

mkdir -p /tmp/certbot/
mkdir -p /tmp/letsencrypt/

cat > /tmp/certbot/cloudflare.ini <<-DOCKERFILE
  dns_cloudflare_api_token = ${TF_VAR_CLOUDFLARE_API_KEY}
DOCKERFILE

docker run -it --rm --name certbot  \
-v "/tmp/letsencrypt/data:/etc/letsencrypt" \
-v "/tmp/certbot:/local/certbot" \
certbot/dns-cloudflare:v1.15.0 certonly \
-m istarkov@gmail.com \
--dns-cloudflare \
--dns-cloudflare-credentials /local/certbot/cloudflare.ini \
--agree-tos \
--noninteractive \
-d subdomain.mydomain.com \
-d other.mydomain.com \
-d blabla.hello.com

# subdomain.mydomain.com, other.mydomain.com, blabla.hello.com must have A records on cloudflare pointing to 127.0.0.1

cp /tmp/letsencrypt/data/live/subdomain.mydomain.com/* ./
cat ./fullchain.pem ./privkey.pem > ./haproxy.pem
Enter fullscreen mode Exit fullscreen mode

thats all, now for nodejs apps use following https options

key: fs.readFileSync('./privkey.pem'),
cert: fs.readFileSync('./fullchain.pem'),
Enter fullscreen mode Exit fullscreen mode

for haproxy use haproxy.pem like in simple config below

# haproxy -f ./playground/haproxy-http-2.cfg -db

frontend rgw-https
  bind *:3009 ssl crt /root/realadvisor/https-dev-keys/haproxy.pem alpn h2,http/1.1
  default_backend rgw


backend rgw
  balance roundrobin
  mode http
  server  rgw1 127.0.0.1:3000 check
Enter fullscreen mode Exit fullscreen mode

This is fast and simple way I prefer now to have development certificates, which doesnt need any additional documentation for developers.

Discussion (0)