Skip to content

Instantly share code, notes, and snippets.

Last active June 1, 2024 12:41
Show Gist options
  • Save andrewn/b30375074398ab94361dc607ac7c0e12 to your computer and use it in GitHub Desktop.
Save andrewn/b30375074398ab94361dc607ac7c0e12 to your computer and use it in GitHub Desktop.
Testing SSL (LetsEncrypt certificate and loopback domain)

Testing SSL (LetsEncrypt certificate and loopback domain)

General approach

This sets up a publically-available domain that loops back to localhost IP address For example, this address could be if we controlled the domain. This relies on having a public domain name whose DNS records you can control. We can then generate LetsEncrypt certificates for this domain.

Our HTTP server runs on localhost:80 (default HTTP port). This lets us visit in a web browser and see the server running on localhost:80.

We then run an HTTPS proxy server on localhost:443 (default HTTPS port) that uses the LetsEncrypt certificates we generated for Visiting hits the proxy, which returns the correct certificates meaning the browser displays the "Secure" message. The proxy then passes the request through to the HTTP server.


  • it's very convoluted
  • private keys etc need to be distributed to any machine running the server
  • must have control of DNS records on domain
  • LetsEncrypt certificates expire so the whole process must be repeated to get new ones (steps 5-9 below)
  • ...?


  1. Create the loopback A record for

    In your DNS provider's control panel:

      Type: A
      TTL: 3600
  1. After a while, the following command:
    $ dig a

    ;; ANSWER SECTION:	3599 IN	A
  1. Install LetsEncrypt's certbot so we can generate a valid SSL cert:
    brew install certbot
  1. Generate a SSL cert for your domain using the DNS challenge type which means you won't need to have a server running on this domain:
    sudo certbot certonly --config-dir . --work-dir . --logs-dir . --manual --preferred-challenges dns
  1. Enter the domain name when prompted:
  1. Ok with logging? Yes

  2. Add the DNS record and TXT value in your DNS provider's control panel as requested by certbot. Do not press Enter until it's been deployed.

  3. There are a few more questions then certbot will have generated files in the directory you ran the command in:

        ├── README
        ├── cert.pem
        ├── chain.pem
        ├── fullchain.pem
        └── privkey.pem
  1. Use the redbox proxy to point to the generated certificates and start on port 443:
    sudo node redbird-proxy.js live/
  1. Set the API_URL in .env to:
  1. Start HTTP client on port 80 (edit .env to set PORT=80)
    sudo npm start
  1. Visit

The HTTPS server should be available without any browser warnings. HTTP version will be available on

Relies on redbird being installed:
npm install redbird
Usage: node proxy <public-loopback-domain> <path-to-pems>
e.g. node proxy ./live/
const path = require('path');
const incomingDomain = process.argv[2];
const possibleCertDir = process.argv[3];
if (incomingDomain == null || possibleCertDir == null) {
console.log('Usage: node proxy path/to/pem/dir');
const certDir = path.resolve(possibleCertDir);
const redbird = new require('redbird')({
ssl: {
port: 443,
ca: path.join(certDir, 'chain.pem'),
cert: path.join(certDir, 'cert.pem'),
key: path.join(certDir, 'privkey.pem'),
Copy link

dkprog commented Sep 1, 2020

I'm using similar approach to test a WebRTC solution inside my network. I also have created a free .TK domain using
Thank you very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment