-
-
Save levicook/563675 to your computer and use it in GitHub Desktop.
| I am the owner of lvh.me. And I'm glad to hear it's helpful. In truth, it's just a fancy DNS trick. lhv.me and all of it's sub-domains just point back to your computer (127.0.0.1). That means running ssl is as simple (or difficult) as running ssl on your computer. | |
| I'm not sure how comfortable you are with the command line, but here's my how I setup my development environment. (rvm, passenger, nginx w/ SSL, etc). | |
| # Install rvm (no sudo!) | |
| # ------------------------------------------------------ | |
| bash < <( curl http://rvm.beginrescueend.com/releases/rvm-install-head ) | |
| source ~/.rvm/scripts/rvm | |
| rvm install ree-1.8.7-2010.02 | |
| rvm ree --passenger | |
| sudo mkdir -p /opt && sudo chown -R $USER /opt | |
| passenger-install-nginx-module --auto --prefix=/opt/nginx/ --auto-download --extra-configure-flags=--with-http_ssl_module | |
| ## Setup a self-signed SSL certificate | |
| curl http://www.selfsignedcertificate.com/download.php?file=28727991/www.example.com.key > /opt/nginx/conf/server.key | |
| curl http://www.selfsignedcertificate.com/download.php?file=28727991/www.example.com.cert > /opt/nginx/conf/server.crt | |
| ## Sanity check your passenger_root and passenger_ruby | |
| ## Define virtual hosts in /opt/nginx/config/nginx.conf | |
| ## eg: | |
| http { | |
| passenger_root /Users/levi/.rvm/gems/ree-1.8.7-2010.02/gems/passenger-2.2.15; | |
| passenger_ruby /Users/levi/.rvm/bin/passenger_ruby; | |
| passenger_pool_idle_time 3600; # keep apps alive | |
| # foo.lvh.me (http) | |
| # ------------------------ | |
| server { | |
| listen 80; | |
| server_name foo.lvh.me; | |
| root /Users/levi/projects/foo/public; | |
| passenger_enabled on; | |
| rails_env development; | |
| } | |
| # foo.lvh.me (https) | |
| # ------------------------ | |
| server { | |
| listen 443; ssl on; | |
| ssl_certificate /opt/nginx/conf/server.crt; | |
| ssl_certificate_key /opt/nginx/conf/server.key; | |
| server_name foo.lvh.me; | |
| root /Users/levi/projects/foo/public; | |
| passenger_enabled on; | |
| rails_env development; | |
| } | |
| } | |
| # Start nginx | |
| # ------------------------------------------------------ | |
| sudo /opt/nginx/sbin/nginx | |
| # Stop nginx | |
| # ------------------------------------------------------ | |
| sudo /opt/nginx/sbin/nginx -s stop |
You can do it using Let's Encrypt certificates. They are the valid and free ones!
@lightningspirit if you managed to generate a certificate for "lvh.me" with let's encrypt, I'd like to know how.
I've tried sudo certbot certonly --standalone -d lvh.me and got the following error
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for lvh.me
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. lvh.me (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for lvh.me
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: lvh.me
Type: unknownHost
Detail: No valid IP addresses found for lvh.me
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Let's Encrypt wildcard certificate support is live as of March 13 2018.
https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579
Would be awesome to have it on lvh.me
Would be awesome to have it on lvh.me
+1
Would be awesome to have it on
lvh.me
+1
As I understand, lvh.me is just a DNS trick, such as adding an A record pointing to 127.0.0.1. There's no server behind it, there's nothing to perform SSL verification/handshakes.
That's correct; It's simply a dns entry that resolves to 127.0.0.1. Let's Encrypt will not generate certs for 127.0.0.1.
You can generate a certificate using the DNS challenge with letsencrypt.
Then you have to add a DNS TXT-record to the _acme-challenge.lvh.me subdomain. There is no server needed, so 127.0.0.1 does not matter.
@langenoot yes, you can generate a cert, but where do you store it and distribute it and how's that different from just using self-signed certs?
Usability over security. It avoids that the user needs to make an exception for a self-signed certificate.
Yes, it is hacky but interesting. Might be useful in some cases as mixed content is blocked nowadays and some API's (like webrtc) are not available on http.
I also imagine possibilities for shady purposes, like malware.
@landegnoot sure, but you haven't answered the question.. lvh.me is not for users, it's for developers.
If that is the scope, there is no advantage over self signed certificates.
I stumbled upon this project as I needed a website to connect to a service running on localhost.
Looks like selfsignedcertificate.com has been replaced by some kind of ad site.
What now?
It would be cool to have a publicly signed wild card certificate for lvh.me ...