- Install stud
$ brew install https://raw.github.com/paulnicholson/homebrew/master/Library/Formula/stud.rb
- Download and install the powssl script
$ curl https://gist.githubusercontent.com/paulnicholson/2050941/raw/7e4d2178e3733bed18fdfe737277c3cb72241d39/powssl > ~/bin/powssl
$ chmod +x ~/bin/powssl
- Run powssl to create development certificate and configure stud.
$ powssl
- Launch your browser and hit one of your apps
$ open https://app.dev/
Last active
November 24, 2021 16:40
-
-
Save paulnicholson/2050941 to your computer and use it in GitHub Desktop.
ssl with pow using stud
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
STUD_DIR="$HOME/.stud" | |
CA_DIR="$STUD_DIR/ca" | |
if [ ! -d "$STUD_DIR" ]; then | |
# Make folder for stud config and keys | |
mkdir -p $CA_DIR/newcerts | |
stud --default-config \ | |
| sed "s%frontend = .*%frontend = \"[*]:443\"%" \ | |
| sed "s%backend = .*%backend = \"[127.0.0.1]:80\"%" \ | |
| sed "s%user = .*%user = \"`id -un`\"%" \ | |
| sed "s%group = .*%group = \"`id -gn`\"%" \ | |
| sed "s%pem-file = .*%pem-file= \"$STUD_DIR/keypair.pem\"%" \ | |
| sed "s%# ssl = .*%ssl= on%" \ | |
> $STUD_DIR/config | |
echo "Setup openssl config" | |
config_start=$(grep --text --line-number '^OPENSSL_CONFIG:$' $0 | cut -d ':' -f 1) | |
tail -n +$((config_start + 1)) $0 | sed "s%\$CA_DIR%$CA_DIR%" > $CA_DIR/openssl.cnf | |
touch $CA_DIR/index.txt | |
echo "01" > $CA_DIR/serial | |
echo "Creating ssl keypair for signing *.dev certificate." | |
openssl req -newkey rsa:2048 -batch -x509 -nodes -subj "/C=US/O=Developer Certificate/CN=*.dev Domain CA" -keyout $CA_DIR/key.pem -out $CA_DIR/cert.pem -days 9999 &> /dev/null | |
echo "Adding certificate to login keychain as trusted." | |
security add-trusted-cert -d -r trustRoot -k $HOME/Library/Keychains/login.keychain $CA_DIR/cert.pem | |
echo "================================================================================" | |
echo -e "To use the certificate without a warning in Firefox you must add the\n\"$CA_DIR/cert.pem\" certificate to your Firefox root certificates." | |
echo "================================================================================" | |
fi | |
if [ -e "$HOME/.powconfig" ]; then | |
source "$HOME/.powconfig" | |
fi | |
IFS="," | |
for ext_domain in $POW_EXT_DOMAINS; do | |
if [[ $ext_domain == *.* ]]; then | |
domains=("${domains[@]}""DNS:$ext_domain,") | |
domains=("${domains[@]}""DNS:*.$ext_domain,") | |
else | |
echo "Not using POW_EXT_DOMAIN value '$ext_domain' because it appears to be a TLD." | |
fi | |
done | |
for domain in $HOME/.pow/*; do | |
domain="${domain##*/}" | |
for ext in ${POW_DOMAINS:-"dev"}; do | |
domains=("${domains[@]}""DNS:$domain.$ext,") | |
domains=("${domains[@]}""DNS:*.$domain.$ext,") | |
done | |
for ext_domain in $POW_EXT_DOMAINS; do | |
if [[ $ext_domain == *.* ]]; then | |
domains=("${domains[@]}""DNS:*.$domain.$ext_domain,") | |
fi | |
done | |
done | |
export SAN="${domains[@]%,}" | |
unset IFS | |
if [ "$(cat $STUD_DIR/domains)" != "$SAN" ]; then | |
config_start=$(grep --text --line-number '^OPENSSL_CONFIG:$' $0 | cut -d ':' -f 1) | |
tail -n +$((config_start + 1)) $0 | sed "s%\$CA_DIR%$CA_DIR%" > $CA_DIR/openssl.cnf | |
echo "Generating new dev certificate" | |
openssl req -newkey rsa:2048 -batch -nodes -subj "/C=US/O=Developer Certificate/CN=*.dev" -keyout $STUD_DIR/key.pem -out $STUD_DIR/csr.pem -days 9999 &> /dev/null | |
echo "Signing dev certificate" | |
openssl ca -config $CA_DIR/openssl.cnf -policy policy_anything -batch -days 9999 -out $STUD_DIR/cert.pem -infiles $STUD_DIR/csr.pem &> /dev/null | |
cat $STUD_DIR/key.pem $STUD_DIR/cert.pem > $STUD_DIR/keypair.pem | |
echo $SAN > $STUD_DIR/domains | |
fi | |
echo "Starting Stud (using sudo to open ports < 1024)" | |
exec sudo stud --config $STUD_DIR/config | |
exit 0 | |
OPENSSL_CONFIG: | |
[ ca ] | |
default_ca = CA_default | |
[ CA_default ] | |
dir = $CA_DIR | |
certs = $dir/certs | |
crl_dir = $dir/crl | |
database = $dir/index.txt | |
unique_subject = no | |
new_certs_dir = $dir/newcerts | |
certificate = $dir/cert.pem | |
serial = $dir/serial | |
crlnumber = $dir/crlnumber | |
crl = $dir/crl.pem | |
private_key = $dir/key.pem | |
RANDFILE = $dir/.rand | |
default_days = 365 # how long to certify for | |
default_crl_days = 30 # how long before next CRL | |
default_md = sha1 # which md to use. | |
x509_extensions = usr_cert | |
[ policy_anything ] | |
countryName = optional | |
stateOrProvinceName = optional | |
localityName = optional | |
organizationName = optional | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[ usr_cert ] | |
basicConstraints = CA:FALSE | |
nsCertType = server | |
nsComment = "OpenSSL Generated Certificate" | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer | |
subjectAltName = ${ENV::SAN} |
turns out I needed in my .pem, mydomain certificate, the intermediate, the root, and lastly the private key
The link in step 2 needs to be:
https://gist.github.com/paulnicholson/2050941/raw/3ea59efe8c7e9013c265313045a9fdda5c653963/powssl
Thanks for a great script!
I have updated the script to use TLDs from POW_DOMAINS and domains from POW_EXT_DOMAINS.
@paulnicholson I'm seeing the following:
Error: MD5 support has been dropped for security reasons.
Please switch this formula to SHA256.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
echo -e "To use the certificate without a warning in Firefox you must add the\n"$CA_DIR/cert.pem" certificate to your Firefox root certificates."
really thats how you fix it? So far everything I've read indicates that I need to be serving the intermediate certificate.