

How to set up stress-free SSL on an OS X development machine - dltj
https://gist.github.com/jed/6147872

======
fideloper
Only gripe is being told to match Dev with production ... And then develop on
Mac OS.

Virtual machines are a much cleaner and nicer way to do this. Setting up a
wildcard SSL is similarly as simple, an you get the bonus of learning how to
do it on a "real" (normal, more standard) server.

Example setting up wildcard subdomain SSL cert (self-signed):
[https://serversforhackers.com/ssl-certs/](https://serversforhackers.com/ssl-
certs/)

~~~
jedschmidt
Having gotten more accustomed to the VM approach over the past year since I
wrote this post, I agree.

~~~
dltj
Thanks for leaving your Gist up there describing the process, Jed. I do some
work in VMs, but still found it very useful.

------
daurnimator
I use ngrok ([https://ngrok.com/](https://ngrok.com/)), which tunnels a local
port and makes it available over ssl on an ngrok.com subdomain.

Makes it easy to develop from any machine, and even allows me to check it out
from other machines. Including things like browserling.

On top of that, it can record and replay requests for you as you debug.

------
bensummers
I use multicast DNS so that my server in a development VM can automatically
publish a hostname to the host for testing.

[http://bens.me.uk/2013/multicast-dns-and-development-
virtual...](http://bens.me.uk/2013/multicast-dns-and-development-virtual-
machines)

This is especially useful as my application is multi-tenant, where you can
potentially use lots of different hostnames.

I'm wary of trusting a development certificate on my development machines. One
slight misconfiguration, and you've got a CA with a well-known private key
which can be used to generate certificates for any name. Which would be very
useful for MITMing a rather important machine.

I accept the inconvenience of having to click through the warnings, with
conscious awareness of what I'm doing to avoid training myself to ignore them.
I'm not entirely sure which is the bigger risk.

------
iancarroll
Keychain Access makes creating a certificate authority very easy - you might
as well just use that...

Besides, I don't understand why you would choose not to trust the certificate,
then click it and choose to trust it...

~~~
tbyehl
For the non-OS X crowd, XCA is a really simple GUI for managing your own CA.
Just about everything I have that can use an SSL certificate has one that all
of my machines trust.

[http://xca.sourceforge.net/](http://xca.sourceforge.net/)

~~~
junkblocker
Also, xca works just fine on OS X too.

------
geofft
/etc/resolver is pretty cool. I wish it were better-documented / better-known.
(I guess `man 5 resolver` documents it.)

I also wish glibc had something similar.

------
climaxius
Instead of dnsmasq you can also use
[https://github.com/robbiev/devdns](https://github.com/robbiev/devdns)

------
e28eta
Pow is a nice project for handling DNS resolution and forwarding a specific
name to a service running on a non-standard port.

I've put Apache with a wildcard cert (& local CA) in front of it to handle SSL
termination.

It's very similar to the technique from the article, but I've found the
ability to serve requests on the default port to be convenient.

------
arthurk
If you're using Django, check out the runserver_plus command from django-
extensions: [http://django-
extensions.readthedocs.org/en/latest/runserver...](http://django-
extensions.readthedocs.org/en/latest/runserver_plus.html#ssl)

------
lvturner
I wrote
[https://www.npmjs.com/package/crisp](https://www.npmjs.com/package/crisp) a
while back, which simplifies a lot of this, it generates a self-signed cert
and starts a web server in one move

------
evadne
I usually just use
[https://github.com/jugyo/tunnels](https://github.com/jugyo/tunnels).

------
kevinburke
fyi - I know it's a pain but before I got comfortable with unbound/dnsmasq I
wrote a thing to edit your /etc/hosts file, which makes it not quite as
painful to deal with.

[https://github.com/kevinburke/hostsfile](https://github.com/kevinburke/hostsfile)

------
pbreit
I didn't see self-signed certs as an alternative. Isn't that a common and
reasonable approach?

~~~
philfreo
This describes setting up a self-signed cert

~~~
pbreit
Oops! I read the 3 alternatives and didn't see self-signed certs, which seemed
sorta obvious to me. Then skimmed a bit further and saw all sorts of other
things and not really any specific mention of self-signed certs. My bad.

