Skip to content

Instantly share code, notes, and snippets.

Last active November 21, 2023 10:51
Star You must be signed in to star a gist
What would you like to do?
How to setup Ngrok with a self-signed SSL cert


The plan is to create a pair of executables (ngrok and ngrokd) that are connected with a self-signed SSL cert. Since the client and server executables are paired, you won't be able to use any other ngrok to connect to this ngrokd, and vice versa.


Add two DNS records: one for the base domain and one for the wildcard domain. For example, if your base domain is, you'll need a record for that and for *

Different Operating Systems

If the OS on which you'll be compiling ngrok (that's the server section below) is different than the OS on which you'll be running the client, then you will need to set the GOOS and GOARCH env variables. I run Linux everywhere, so I don't know how to do that. Please Google it or see the discussion here. If you know how to do this and want to add GOOS/GOARCH instructions here, please let me know.

On Server

MAKE SURE YOU SET NGROK_DOMAIN BELOW. Set it to the base domain, not the wildcard domain.

git clone
cd ngrok

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -subj "/CN=$NGROK_DOMAIN" -days 5000 -out rootCA.pem
openssl genrsa -out device.key 2048
openssl req -new -key device.key -subj "/CN=$NGROK_DOMAIN" -out device.csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 5000

cp rootCA.pem assets/client/tls/ngrokroot.crt
# make clean
make release-server release-client

Copy bin/ngrok to whatever computer you want to connect from. Then start the server:

bin/ngrokd -tlsKey=device.key -tlsCrt=device.crt -domain="$NGROK_DOMAIN" -httpAddr=":8000" -httpsAddr=":8001"

On Client

MAKE SURE YOU SET NGROK_DOMAIN BELOW. Set it to the base domain, not the wildcard domain.

echo -e "server_addr: $NGROK_DOMAIN:4443\ntrust_host_root_certs: false" > ngrok-config
./ngrok -config=ngrok-config 80

Or for SSH forwarding: ./ngrok -config=ngrok-config --proto=tcp 22

Copy link

Hello Guys, i am getting this error
Please help me, I am new to this.

Copy link

I encounter the "bad certificate", too. The error message from client shows

[01:53:34 CST 2021/02/13] [EROR] (ngrok/log.Error:120) control recovering from failure x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

After searching, seems like ignoreCN are relative to go 1.15, I tried export GODEBUG=x509 ignoreCN=0 and export GODEBUG=x509ignoreCN=0 with no luck.

Finally, I use gvm to install go 1.14 and rebuild, and it works now.

gvm install go1.14.15
gvm use go1.14
make release-server release-client

Well done!
Thanks man!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment