Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/acme/autocert: serve self-signed cert for localhost? #20640

Open
bradfitz opened this issue Jun 11, 2017 · 6 comments
Open

x/crypto/acme/autocert: serve self-signed cert for localhost? #20640

bradfitz opened this issue Jun 11, 2017 · 6 comments

Comments

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Jun 11, 2017

Idea inspired by a mailing list post on golang-nuts,

What if the autocert package [optionally?] could serve a self-signed cert for localhost connections?

It can look at SNI "localhost" and/or the connection addr being a loopback address.

Might be nice for testing / consistency.

/cc @x1ddos

@FiloSottile
Copy link
Contributor

@FiloSottile FiloSottile commented Jun 11, 2017

+1, it should make a self-signed certificate for the "localhost" or "127.x.x.x" names, as it's clear a real cert will never be obtained for them.

Note though, it should not look at the Listen address, as binding to 127.0.0.1 and then redirecting with iptables is totally fine and common.

@x1ddos
Copy link

@x1ddos x1ddos commented Jun 13, 2017

A very nice idea. Maybe also add *.local to the list of "local" SNI?
And, of course ::1 to the list of loopback addr. I don't see why "it should not look at the Listen address".

@mikioh
Copy link
Contributor

@mikioh mikioh commented Jun 13, 2017

I'm not keen on putting unicast DNS and mDNS stuff into one basket for now.
Just FYI: https://tools.ietf.org/html/draft-west-let-localhost-be-localhost

@theist
Copy link

@theist theist commented Feb 8, 2021

Any news on this? I wanted tis feature for golang since I found it in Python's flask and its werkzeug internal server I'm not saying it should be done because some library of python does. Just interested if something like this exists in Go lands

@apexskier
Copy link

@apexskier apexskier commented Mar 31, 2021

I'd personally not want this to be default behavior, although opt-in would be great. Self signed certs will be rejected by many other client libraries. If this was default, when testing multiple local services communicating together I'd have errors by default that would somewhat obscure the underlying issue.

@theist
Copy link

@theist theist commented Jun 16, 2021

I think the caddy server does this by default when started locally. Maybe there's a library somewhere already. I hadn't the opportunity to drill into the code yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants