Add --reinstall-ssl flag and fix mkcert CA detection

davegaeddert · davegaeddert · commit 04579b74d746 · 2026-01-12T20:37:23.000-06:00
The previous code used `mkcert -check` which doesn't exist in mkcert
v1.4.4. Now checks for CA file existence instead, and adds a
--reinstall-ssl flag that:
- Redownloads mkcert binary (updates to latest)
- Reinstalls CA into system trust store
- Regenerates domain certificates

This provides a comprehensive fix for SSL issues while keeping normal
usage silent.
diff --git a/plain-dev/plain/dev/cli.py b/plain-dev/plain/dev/cli.py
@@ -121,13 +121,20 @@ def _auto_start_services() -> None:
     default=False,
     help="Stop the background process",
 )
+@click.option(
+    "--reinstall-ssl",
+    is_flag=True,
+    default=False,
+    help="Reinstall SSL certificates (updates mkcert, reinstalls CA, regenerates certs)",
+)
 def cli(
     ctx: click.Context,
     port: str,
     hostname: str | None,
     log_level: str,
     start: bool,
     stop: bool,
+    reinstall_ssl: bool,
 ) -> None:
     """Local development server"""
     if ctx.invoked_subcommand:
@@ -188,7 +195,7 @@ def cli(
         hostname=hostname,
         log_level=log_level if log_level else None,
     )
-    returncode = dev.run()
+    returncode = dev.run(reinstall_ssl=reinstall_ssl)
     if returncode:
         sys.exit(returncode)
 
diff --git a/plain-dev/plain/dev/core.py b/plain-dev/plain/dev/core.py
@@ -128,13 +128,17 @@ def _port_available(self, port: int) -> bool:
             result = sock.connect_ex(("127.0.0.1", port))
         return result != 0
 
-    def run(self) -> int:
+    def run(self, *, reinstall_ssl: bool = False) -> int:
         self.write_pidfile()
         mkcert_manager = MkcertManager()
-        mkcert_manager.setup_mkcert(install_path=Path.home() / ".plain" / "dev")
+        mkcert_manager.setup_mkcert(
+            install_path=Path.home() / ".plain" / "dev",
+            force_reinstall=reinstall_ssl,
+        )
         self.ssl_cert_path, self.ssl_key_path = mkcert_manager.generate_certs(
             domain=self.hostname,
             storage_path=Path(PLAIN_TEMP_PATH) / "dev" / "certs",
+            force_regenerate=reinstall_ssl,
         )
 
         self.symlink_plain_src()
diff --git a/plain-dev/plain/dev/mkcert.py b/plain-dev/plain/dev/mkcert.py
@@ -11,80 +11,117 @@
 
 class MkcertManager:
     def __init__(self) -> None:
-        self.mkcert_bin: str | Path | None = None
+        self.mkcert_bin: str | None = None
 
-    def setup_mkcert(self, install_path: Path) -> None:
+    def setup_mkcert(
+        self, install_path: Path, *, force_reinstall: bool = False
+    ) -> None:
         """Set up mkcert by checking if it's installed or downloading the binary and installing the local CA."""
         if mkcert_path := shutil.which("mkcert"):
-            # mkcert is already installed somewhere
             self.mkcert_bin = mkcert_path
-        else:
-            self.mkcert_bin = install_path / "mkcert"
-            install_path.mkdir(parents=True, exist_ok=True)
-            if not self.mkcert_bin.exists():
-                system = platform.system()
-                arch = platform.machine()
-
-                # Map platform.machine() to mkcert's expected architecture strings
-                arch_map = {
-                    "x86_64": "amd64",
-                    "amd64": "amd64",
-                    "AMD64": "amd64",
-                    "arm64": "arm64",
-                    "aarch64": "arm64",
-                }
-                arch = arch_map.get(
-                    arch.lower(), "amd64"
-                )  # Default to amd64 if unknown
-
-                if system == "Darwin":
-                    os_name = "darwin"
-                elif system == "Linux":
-                    os_name = "linux"
-                elif system == "Windows":
-                    os_name = "windows"
-                else:
-                    click.secho("Unsupported OS", fg="red")
-                    sys.exit(1)
-
-                mkcert_url = f"https://dl.filippo.io/mkcert/latest?for={os_name}/{arch}"
-                click.secho(f"Downloading mkcert from {mkcert_url}...", bold=True)
-                urllib.request.urlretrieve(mkcert_url, self.mkcert_bin)
-                self.mkcert_bin.chmod(0o755)
-            self.mkcert_bin = str(self.mkcert_bin)  # Convert Path object to string
-
-        if not self.is_mkcert_ca_installed():
-            click.secho(
-                "Installing mkcert local CA. You may be prompted for your password.",
-                bold=True,
-            )
-            subprocess.run([self.mkcert_bin, "-install"], check=True)
-
-    def is_mkcert_ca_installed(self) -> bool:
-        """Check if mkcert local CA is already installed using mkcert -check."""
+            # Run install if CA files don't exist, or if force reinstall
+            if force_reinstall or not self._ca_files_exist():
+                self.install_ca()
+            return
+
+        # mkcert not found system-wide, download to install_path
+        install_path.mkdir(parents=True, exist_ok=True)
+        binary_path = install_path / "mkcert"
+
+        if force_reinstall and binary_path.exists():
+            click.secho("Removing existing mkcert binary...", bold=True)
+            binary_path.unlink()
+
+        if not binary_path.exists():
+            self._download_mkcert(binary_path)
+
+        self.mkcert_bin = str(binary_path)
+
+        # Run install if CA files don't exist, or if force reinstall
+        if force_reinstall or not self._ca_files_exist():
+            self.install_ca()
+
+    def _download_mkcert(self, dest: Path) -> None:
+        """Download the mkcert binary."""
+        system = platform.system()
+        machine = platform.machine().lower()
+
+        # Map platform.machine() to mkcert's expected architecture strings
+        arch_map = {
+            "x86_64": "amd64",
+            "amd64": "amd64",
+            "arm64": "arm64",
+            "aarch64": "arm64",
+        }
+        arch = arch_map.get(machine, "amd64")
+
+        os_map = {
+            "Darwin": "darwin",
+            "Linux": "linux",
+            "Windows": "windows",
+        }
+        os_name = os_map.get(system)
+        if not os_name:
+            click.secho(f"Unsupported OS: {system}", fg="red")
+            sys.exit(1)
+
+        mkcert_url = f"https://dl.filippo.io/mkcert/latest?for={os_name}/{arch}"
+        click.secho(f"Downloading mkcert from {mkcert_url}...", bold=True)
+        urllib.request.urlretrieve(mkcert_url, dest)
+        dest.chmod(0o755)
+
+    def _get_ca_root(self) -> Path | None:
+        """Get the mkcert CAROOT directory."""
         if not self.mkcert_bin:
+            return None
+        result = subprocess.run(
+            [self.mkcert_bin, "-CAROOT"],
+            capture_output=True,
+            text=True,
+        )
+        if result.returncode == 0:
+            return Path(result.stdout.strip())
+        return None
+
+    def _ca_files_exist(self) -> bool:
+        """Check if the CA root files exist."""
+        ca_root = self._get_ca_root()
+        if not ca_root:
             return False
-        try:
-            result = subprocess.run([self.mkcert_bin, "-check"], capture_output=True)
-            output = result.stdout.decode() + result.stderr.decode()
-            if "The local CA is not installed" in output:
-                return False
-            return True
-        except Exception as e:
-            click.secho(f"Error checking mkcert CA installation: {e}", fg="red")
-            return False
+        return (ca_root / "rootCA.pem").exists() and (
+            ca_root / "rootCA-key.pem"
+        ).exists()
+
+    def install_ca(self) -> None:
+        """Install the mkcert CA into the system trust store.
+
+        Running `mkcert -install` is idempotent - if already installed,
+        it just prints a message without prompting for a password.
+        """
+        if not self.mkcert_bin:
+            return
+
+        # Don't capture output so user can see messages and respond to password prompts
+        result = subprocess.run([self.mkcert_bin, "-install"])
+
+        if result.returncode != 0:
+            click.secho("Failed to install mkcert CA", fg="red")
+            raise SystemExit(1)
 
-    def generate_certs(self, domain: str, storage_path: Path) -> tuple[Path, Path]:
+    def generate_certs(
+        self, domain: str, storage_path: Path, *, force_regenerate: bool = False
+    ) -> tuple[Path, Path]:
         cert_path = storage_path / f"{domain}-cert.pem"
         key_path = storage_path / f"{domain}-key.pem"
         timestamp_path = storage_path / f"{domain}.timestamp"
         update_interval = 60 * 24 * 3600  # 60 days in seconds
 
         # Check if the certs exist and if the timestamp is recent enough
-        if cert_path.exists() and key_path.exists() and timestamp_path.exists():
-            last_updated = timestamp_path.stat().st_mtime
-            if time.time() - last_updated < update_interval:
-                return cert_path, key_path
+        if not force_regenerate:
+            if cert_path.exists() and key_path.exists() and timestamp_path.exists():
+                last_updated = timestamp_path.stat().st_mtime
+                if time.time() - last_updated < update_interval:
+                    return cert_path, key_path
 
         storage_path.mkdir(parents=True, exist_ok=True)
 
