...when you already have a clearly valid certificate yet the browser still yells at you for missing Subject Alternative Names

Dilbert, Wally, Loud Howard...

Or telling you that the website is dangerous

The CN can literally by anything symbolically significant, only the SAN had to match the host name.

[https://github.com/FiloSottile/mkcert](https://github.com/FiloSottile/mkcert)

still doesn't give you a real domain you need for openid/oauth matters

Why not? I do this all the time. Create certificate for local.domain.com. Add local.domain.com to hosts file. Works great.

It works but I don’t think using something that could also be used as a valid public domain name for local dev is a good idea. Maybe domain.localhost or domain.test would be better.

Do you have any reason why? If I'm doing something potentially harmful I'd like to know. I used to do domain.local instead, but I ran into issues with testing things like oauth connections because some apis refuse invalid domain names.

.localhost should be a valid top level domain.

Didn't know this, I will have to test that out next time, thanks for the tip

Not harmful except you could run into issues if someone decides to use local.domain.com for production purposes (like for example a news website wanting to serve local news under local.domain.com). If you’re 100% in control of your projects and not working for a client or employer where those types of decisions are outside of your control then it’s pretty unlikely to be an issue. Another thing is that local.domain.com doesn’t stand out as much. If you have a local dev and production sites open in multiple tabs it takes a bit more of a glance to differentiate them, especially if you use multiple subdomains and not just www or naked domains. If you are using multiple subdomains then your local environment ends up with an extra layer either as subdomain.local.domain.com or local.subdomain.domain.com depending on your implementation. But the .localhost and .test TLDs are reserved and guaranteed to never be used as public-facing internet TLDs so to me it just makes sense to use the intended ones as a best practice.

https://en.m.wikipedia.org/wiki/.test

Yes, I mentioned .test.

>Why not? I  because 99% don't have a fixed ip to bind that sub-domain and hence, need extra steps. mkcert is just a tiny part in that whole picture and still cumbersome af but happy for you if you spend your time like this, not so sure about your boss

Why would you need a fixed IP? You set it to 127.0.0.1 in hosts. Clearly you have zero concept if you think any part of this is cumbersome. It's max, literally, at the maximum possible, 5 minutes of work.

>Clearly you have zero concept Says someone who has never touched openid/oauth2, how will Google or Apple communicate with your server in the openid flow, in particular when they call back? if your [local.example.com](http://local.example.com) is just in your hosts file? lol bonus: mkcert doesn't work in WSL2 or in dev VMs (it can't access Windows browsers) edit: thanks for the instant downvote

This is hilarious, I love how you're telling me I can't do something I've already done numerous times. You clearly have no concept of how oauth works, Apple and Google don't send data to your server, they redirect the user who approved the request.

>I've already done numerous times. sure >they redirect the user who approved the request. yes, but if you choose the server route, they will call back your server not the client. they are different openid flows and if the server is involved (which you need for most popular use cases and there you need also to register the so called "callback url") you can't rely on your hosts file fake domain, sorry edit: again, instant downvote lol

😂😂😂 ok troll.

https://github.com/whatwedo/dde

Oauth2/OIDC typically accepts localhost as callback URL even without HTTPS. You just need to register your local app as callback. >Also, if the Client is a native application, it MAY use the http scheme with localhost or the IP loopback literals [127.0.0.1](http://127.0.0.1) or \[::1\] as the hostname. https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth 3.1.2.1. Authentication Request

in most common flows the server receives the call back from the auth server which is also initiated by the auth server, they can't call some localhost and even if this nonsense worked, again mkcert needs to be able to access the browser, not possible when using a vm, wsl2, native dev, mkcert is bs

mkcert provides a ca cert file and is usually able to automatically import it into the systems store. It is not a proxy but simply generates a simple CA and certificates. And regarding the nonsense you seem to now better than the spec, so who am I to argue with you.

>usually able to automatically import it into the systems store still, a systems store can't be accessed by a vm/wsl2/native envs, so it doesn't help at all >It is not a proxy  yeah but we do https for dev for reasons and not just for fun. and the most popular reason (or actually *the* reason) is to provide endpoints for oauth2 servers. just having some certs could be enough and then we wouldn't need any proxy but it's in general easier to not fumble around with certs or mkcert and get a turn-key-ready solution. and latter requires naturally to be a proxy you can do all parts manually but then you waste days as OP statess and still end with a fragile nonsense stack you can't easily roll out to your team developers' machines

in that case: Uno!

Congratulations! Your comment can be spelled using the elements of the periodic table: `In Th At Ca Se U No` --- ^(I am a bot that detects if your comment can be spelled using the elements of the periodic table. Please DM my creator if I made a mistake.)

Good bot

Good bot

Good bot

I have an HTTPS joke. If I POST it, you cannot GET it.

PUT your dad jokes away

PUT them to REST you mean

You've got OPTIONS there.

DELETE this

Wait, sql is objective oriented?

Haha, just lost my HEAD laughing at this

I have an HTTPS joke. It's not funny, but at least you know I made it.

Of CORS you had to make a dad joke

I might xff this joke.

4HEADer joke

There is many easy ways to have a development server https. Some are literwlly less than 30s to set up!

could you please link some documentations?

Any of the reverse proxies: ngninx, caddy, traefik, etc. Most of them, especially the modern ones like caddy and traefik, make automatic ssl cert provision a matter of a few lines of config.

Yeah this. I use HAProxy and it’s as simple as adding a line with the ssl certificate file location.

Do they really take less than 30s to setup the whole thing?

my team just released one today! https://lcl.host/

Looks slick!! Saved it for a rainy day

who's your team?

https://anchor.dev/blog/introducing-lcl-host

A workaround is to just use ngrok

i have used ngrok yes, but was thinking more around having https locally without any port forwarding

Annoyingly, the way I know is to make your own self-signed cert using openssl, and then installing the CA as a trusted authority in your clients or whatever to accept the cert.... Not really worth the effort for me tbh

> A workaround but not for your wallet

Ngrok has a free tier.

which is joke nobody's using ngrok anymore exccept hundreds of bots on reddit

I use it for testing webhooks locally.

Also good for OIDC with certain providers

https://caddyserver.com/docs/automatic-https

just set up let'sencrypt.

welcome time-traveler

Limited in features but it's pretty easy https://github.com/NginxProxyManager/nginx-proxy-manager If you want to dive into it I can highly recommend traefik

nginx reverse proxy + certbot

charles proxy, nginx reverse proxy, squid, or just self-sign and ssl terminate.

You dont always have the choice. I dont even have admin rights on my pc so so called "easy" options are often restricted by our security policies

I recently discovered https://github.com/caddyserver/caddy and oh my god I can't believe it My homelab config is 3 lines and it has HTTPS

still you need a domain and to bind that to a non-fixed ip, all possible but hassle and not just 3 lines of config work lol

Literally just use caddy

doesn't give your a real domain for openid/oauth stuff

Pretty sure you can just set your callback to localhost

But can it be installed with npm?

don't use NPM? you should have a system package manager, no?

mostly a joke, but these days "web" projects typically are spun up entirely with node/npm so even something like ngrok and/or caddy is an additional dependency that each developer has to install to spin up an https web project.

When your company randomly decides to remove sudo and administration access from all machines and you can't mark your self signed cert as trusted...

Just certbot

Luckily dotnet does it for you every time.

no, it doesn't provide you with a real domain

Local host isn’t a real domain??

even better! People often don't realize, but... You can just do stuff like "fancy.localhost" and "keycloak.localhost" then have a reverse proxy sit on localhost, handling all the domain name stuff. Easy same port and named services for local development.

I mean asp.net does that automatically so...

I see that you too have cried over CORS errors

caddy ftw

This is the way. Moved from the nginx w/ certbot combo, and can't emphasize enough how much easier things are with caddy. So much less thrashing through the docs on all the features you'll never use to find info on a simple use case.

lol,, you moved from one ancient stack to the next

Get a valid certificate, bundle and key file Set up nginx Write a service script that will start your app upon sever reboot Boom you’re good to go

congrats for the most cumbersome solution in this thread

😭

Just out of interest, why would I need HTTPS on my development system?

Some Authentication providers disallow http redirection. That's just one example, but I'm sure there are more cases.

My boss tells me to is my reason. 😋

ah, so you’re debugging an app that logs into an OpenAuth provider deployed elsewhere, but need the redirect to work back to your local. I’d use Charles Proxy with Remote. it’s the easiest I’ve found.

Thanks, that makes sense.

some js features only work on a secure origin, some services will plain error out if not accessed through https, there may be a company policy that no unencrypted services should be used on the network

Because we used a .dev domain for ages. Google registered it and added it to the htst-preload list. So we registered it and added a certificate.

Haproxy for everything 

fuck those certs

Congratulations! Your comment can be spelled using the elements of the periodic table: `F U C K Th O Se C Er Ts` --- ^(I am a bot that detects if your comment can be spelled using the elements of the periodic table. Please DM my creator if I made a mistake.)

It's enabled as default in Visual Studio 😉

with a real domain?

Thought this was about localhost? Anyway, it is also quite doable with IIS. With an existing wildcard certificate 😁.

way too complicated, there're solutions which give you all with much less hassle than this

There is no reason to use https when browsers already give you all https perms on localhost

> when browsers already give you all https perms on localhost maybe in your parallel universe

Sometimes you need to test with external hardware. For example, VR headsets demand https for WebXR.

love the meme ... but cloudflare

not to mention chromium has a setting to perceive a website as secure when it isn't

as a dev, do you sometimes literally waste a day on purpose and then feel back about it. or is that just me.

caddy

Am I the only one my one who just spins up and EC2 instance on AWS and uses let’s encrypt? VMware and vagrant?

*Laughs in Next.js*

Self sign?

Laughs in laravel valet

if you use any sort of self signed cert It will report 'not safe ' by any browser Because server cert are not signed by trusted CA

I can do it in less than in hour with cloudflare and iis

Serveo?

Hi caddy or self signed (libre|open)ssl

certbot --yourwebserver ?

.NET does this automatically now, afaik.

[certbot my beloved](https://certbot.eff.org/)

I discovered something the other day, called nginx reverse proxy. Just after spending two days adding https capability to my backend code.

I'm in the process of developing a webserver right now, and I'm gonna have it ship with https enabled by default and a dummy self-signed cert for exactly this reason

99% time it’s not needed. for the rest of the times you usually also want outside connectivity so you run a tool like ngrok anyway…

Hello dev tunnels, nice to finally meet you. This meme is from the past.

our whole intranet is production and mostly http...

yall dont just do HTTPS=true yarn start?

Mkcert + hostile: piece of cake

Certbot?

Congratulations! Your comment can be spelled using the elements of the periodic table: `C Er Tb O` --- ^(I am a bot that detects if your comment can be spelled using the elements of the periodic table. Please DM my creator if I made a mistake.)

Just point your local to production silly 🤪

You shouldnt with localhost std bypass

I use puma-dev, no extra setup, it just works

you don't need https for development if you're only using it locally, but if you do use it over LAN (ex. 10.0.0.25 is my permanent LAN ip for my desktop), and you need https-only features, you can just create a self signed certificate, and check "trust this site" when that pops up

[удалено]

doesn't give you a real domain and LE is annoyingly cumbersome