Cross posted from my blog (from January 1). Hopefully useful in this wider community. =)
Relatively recently, I saw Wes Bos' YouTube Short about local https with Caddy.
I tried exactly that, but kept getting the self-signed certificate warnings in browsers. Boo! I figured there must be an extra step on my machine.
TL;DR: This is how I got it working: Install certutil
# Install `certutil`:
brew install nss
So, brew install nss, and then caddy file-server --domain tg.localhost, or even stuff like caddy reverse-proxy --from tg.localhost --to http://localhost:1313.
The first time you run Caddy, it will prompt for your system password to install a trusted root cert. After that, no more "self signed certificate" warnings.
And yes: Change tg.localhost to just about anything you want. Open it in your browser, and it should "just work"!
How I figured it out
When running things like caddy file-server --domain tg.localhost, I noticed warnings in the output. This was while Caddy was trying to create/install the root certificate, and suggesting to install certutil:
WARN pki.ca.local installing root certificate (you might be prompted for password) {"path": "storage:pki/authorities/local/root.crt"}
INFO warning: "certutil" is not available, install "certutil" with "brew install nss" and try again
It did prompt for local machine password a couple times, so I figured whatever fallback mechanism it was using would be working. But apparently not. Because I was still seeing "self signed" certificate warnings.
I've never used certutil, so wasn't familiar. But I decided to try it and ran brew install nss per the recommendation from Caddy output.
To be sure, I ran caddy trust, (while caddy run was running in another terminal!) and it worked flawlessly.
In subsequent tests, I haven't had to untrust/trust. It "Just Works", as long as certutil is already installed.
Hope that's helpful!
Top comments (0)