I’d like to discuss the viability of a free service I’m contemplating.
The goal is to offer developers a way to use valid https for their projects locally, automatically.
Before you now yell ‘self-signed certs’ at me, please hear me out.
The problem with self-signed certificates is that they require manual work, are (somewhat) host dependent and cause e.g. the testing/ci environment to differ from production.
All of the previous attempts to solve that problem relied on the private keys made public and therefore being compromised (http://readme.localtest.me/#ssl, https://www.npmjs.com/package/localhost.daplie.me-certificates) - which (correctly) caused them to be revoked by the CAs.
How about the following (so I can finally put the domain ‘ssl.fun’ to good use):
- ssl.fun allows the user to programmatically register a subdomain (e.g. example.com.ssl.fun)
- It integrates with common acme clients and responds to the DNS-01 ownership challenge
- by default all A records point to 127.0.0.1
As a result the user (target audience developers) are able to test things locally with a valid https certificate.
The users themselves do the certificate request directly and only they have access to the private key, hence the certificate is not compromised, which was the main issue with spiritual predecessors in the past
I read the guidelines of common CAs (including LE) closely and there is nothing preventing a DNS record to point to 127.0.0.1
There are some implementation details here I skipped (e.g. after a subdomain is initially registered ownership is proven with signed requests, to prevent others from issuing certs for the same subdomain).
And of course the developer is still not allowed to distribute their certs/private key in client apps (e.g. spotify, blizzard, dropbox) as this again would compromise the certificate.
What do you think of this approach, any issues I overlooked?
I just cannot accept that we’re stuck with cumbersome self-signed certs for the next 20 years of local development, there’s too much collective developer time wasted here.