How to create certificate that will be fully trusted by browsers (green lock) for local development (but on domain other than localhost)


#1

My domain is: kvb.192.168.1.102.xip.io

My web server is (include version): nginx/1.13.6

The operating system my web server runs on is (include version): My machine is Windows 10 running Laravel Homestead (Vagrant), which uses Ubuntu 16.04.4 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


How to get “green lock” SSL certificate on local environment?

https://letsencrypt.org/docs/certificates-for-localhost/ says:

How do you get the green lock locally? The best option: Generate your own certificate, either self-signed or signed by a local root, and trust it in your operating system’s trust store. Then use that certificate in your local web server. See below for details. If you want a little more realism in your development certificates, you can use minica to generate your own local root certificate, and issue end-entity (aka leaf) certificates signed by it. You would then import the root certificate rather than a self-signed end-entity certificate.

So I installed Minica, used it to create a certificate, set up my local Homestead server to use that certificate, and trusted the certificate in Windows:

Unfortunately, I still get this error:

This page is not secure (broken HTTPS).

Certificate - missing

This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).

Here are the details. I ran:

homestead.bat ssh
sudo apt-get install golang-go
mkdir ~/go_work (probably not even necessary because it will get created automatically later because we will set GOPATH to this)
sudo vim ~/.profile
add this line: export GOPATH=$HOME/go_work
source ~/.profile
go get github.com/jsha/minica
mkdir ~/go_work/minica_work
cd ~/go_work/minica_work
~/go_work/bin/minica -domains kvb.192.168.1.102.xip.io
cp -r ~/go_work/minica_work/ ~/Code/katievb-laravel

Then open Windows Command Prompt as admin.

cd c:\code\katievb-laravel
certutil -addstore -enterprise -f "Root" minica_work/kvb.192.168.1.102.xip.io/cert.pem
  • Windows search > Manage computer certificates
  • Trusted Root Certification Authorities > Certificates > kvb.192.168.1.102.xip.io > Open > Details > Copy to File > Next > .DER > C:\code\katievb-laravel\kvb.192.168.1.102.xip.io.der.cer
homestead.bat ssh
sudo mkdir /etc/nginx/ssl/minica
sudo cp go_work/minica_work/kvb.192.168.1.102.xip.io/cert.pem /etc/nginx/ssl/minica/kvb.192.168.1.102.xip.io.crt
sudo cp go_work/minica_work/kvb.192.168.1.102.xip.io/key.pem /etc/nginx/ssl/minica/kvb.192.168.1.102.xip.io.key
sudo vim /etc/nginx/sites-enabled/kvb.192.168.1.102.xip.io

Replace these 2 lines:

ssl_certificate     /etc/nginx/ssl/kvb.192.168.1.102.xip.io.crt;
ssl_certificate_key /etc/nginx/ssl/kvb.192.168.1.102.xip.io.key;

With:

ssl_certificate     /etc/nginx/ssl/minica/kvb.192.168.1.102.xip.io.crt;
ssl_certificate_key /etc/nginx/ssl/minica/kvb.192.168.1.102.xip.io.key;

Then

sudo service php7.2-fpm restart
sudo service nginx stop
sudo service nginx start

Then restart Chrome.

Is it possible to use Let’s Encrypt in the way that I’m hoping? I use the free xip.io service so that my local site URL is kvb.192.168.1.102.xip.io (which I can then test via my desktop and mobile on my LAN), and I want it to be fully trusted by my browsers (with a green lock).

What are my options? Thanks.

My question is also written here (with a bounty): https://stackoverflow.com/q/48969083/470749


#2

Hi @GoTesla,

The short answer is no, you can’t do that with xip.io.

The long answer is you can’t but for two reasons:

1.-If you use the http-01 challenge, Let’s Encrypt will try to validate your domain resolving the domain, in this case it will always resolve to a private address so Let’s Encrypt won’t connect to it.

2.- In this case, you could use the dns-01 challenge but also, it is not possible using xip.io because you can’t add nor modify any DNS record.

In your case, use a real domain (there are even free domains that you can get here http://www.freenom.com ) use for example cloudflare to manage the DNS for your domain (it is also free), create your an A record for one of your subdomains (or your domain) pointing to your private address and use any of the available clients like acme.sh or certbot to issue a cert for your domain using the dns-01 challenge.

Note: I said to use cloudflare because it is free, you can use only their DNS (there is no need to use its CDN features) and certbot and acme.sh have support to issue a cert using dns-01 challenge using its API.

Good luck,
sahsanu


#3

@sahsanu I appreciate your suggestions. Somehow, I was able to get it to work as I was originally hoping.

I finally got the address bar to have a green lock and “Secure https” in the address bar even for my local site (even using the xip.io service). I updated StackOverflow: https://stackoverflow.com/q/48969083/470749


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.