Fixes and updates for local testing over HTTPS#11768
Conversation
- Don't include port in CN - Add SAN including the IP address (required for Safari on iOS) [skip changelog]
- Bind to a specific IP - Describe how to trust cert on iOS
|
Related Slack thread: https://gsa-tts.slack.com/archives/C0NGESUN5/p1731441488466669 |
aduth
left a comment
aduth
left a comment
There was a problem hiding this comment.
This unfortunately didn't work for me, but I also didn't try the "Special instructions" (aside: Do those instructions work on managed devices?). But since it's completely busted anyways, anything which works for someone is a 👍 from me.
| -subj "/C=US/ST=District of Columbia/L=Washington/O=GSA/OU=Login.gov/CN=$(HOST):$(PORT)" \ | ||
| -subj "/C=US/ST=District of Columbia/L=Washington/O=GSA/OU=Login.gov/CN=$(HOST)" \ | ||
| -addext "subjectAltName=IP:$(HOST)" \ |
There was a problem hiding this comment.
If someone has existing files, it'd be nice if we could somehow invalidate those without them having to manually remove them. Maybe the output filenames should exclude the port, which has a dual effect of reflecting these changes and forcing a rebuild of existing certificates?
There was a problem hiding this comment.
Yeah I was thinking about that as well. I'll make the update--the cert should work for any port.
This will ensure new keys / certs are generated without requiring folks to remove the old ones first.
Yes, I was able to get this working with my GFE iPhone using the special instructions. |
2 participants
🛠 Summary of changes
I had some trouble getting local testing working over HTTPS on iPhone, which (it seems), no longer has a "Proceed anyway" type link available when it encounters a self-signed certificate. Working around this involved:
0.0.0.0CNfield of the self-signed cert.subjectAltNameto the self-signed cert.This PR: