Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/acme/autocert: serve self-signed cert for localhost? #20640

Open
bradfitz opened this issue Jun 11, 2017 · 3 comments

Comments

@bradfitz
Copy link
Member

commented Jun 11, 2017

Idea inspired by a mailing list post on golang-nuts,

What if the autocert package [optionally?] could serve a self-signed cert for localhost connections?

It can look at SNI "localhost" and/or the connection addr being a loopback address.

Might be nice for testing / consistency.

/cc @x1ddos

@FiloSottile

This comment has been minimized.

Copy link
Member

commented Jun 11, 2017

+1, it should make a self-signed certificate for the "localhost" or "127.x.x.x" names, as it's clear a real cert will never be obtained for them.

Note though, it should not look at the Listen address, as binding to 127.0.0.1 and then redirecting with iptables is totally fine and common.

@x1ddos

This comment has been minimized.

Copy link
Member

commented Jun 13, 2017

A very nice idea. Maybe also add *.local to the list of "local" SNI?
And, of course ::1 to the list of loopback addr. I don't see why "it should not look at the Listen address".

@mikioh

This comment has been minimized.

Copy link
Contributor

commented Jun 13, 2017

I'm not keen on putting unicast DNS and mDNS stuff into one basket for now.
Just FYI: https://tools.ietf.org/html/draft-west-let-localhost-be-localhost

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.