x/crypto/acme/autocert: serve self-signed cert for localhost? #20640
Comments
bradfitz
added
NeedsDecision
|
+1, it should make a self-signed certificate for the "localhost" or "127.x.x.x" names, as it's clear a real cert will never be obtained for them. Note though, it should not look at the Listen address, as binding to 127.0.0.1 and then redirecting with iptables is totally fine and common. |
|
A very nice idea. Maybe also add *.local to the list of "local" SNI? |
|
I'm not keen on putting unicast DNS and mDNS stuff into one basket for now. |
|
Any news on this? I wanted tis feature for golang since I found it in Python's flask and its werkzeug internal server I'm not saying it should be done because some library of python does. Just interested if something like this exists in Go lands |
|
I'd personally not want this to be default behavior, although opt-in would be great. Self signed certs will be rejected by many other client libraries. If this was default, when testing multiple local services communicating together I'd have errors by default that would somewhat obscure the underlying issue. |
|
I think the caddy server does this by default when started locally. Maybe there's a library somewhere already. I hadn't the opportunity to drill into the code yet. |
Idea inspired by a mailing list post on golang-nuts,
What if the autocert package [optionally?] could serve a self-signed cert for localhost connections?
It can look at SNI "localhost" and/or the connection addr being a loopback address.
Might be nice for testing / consistency.
/cc @x1ddos
The text was updated successfully, but these errors were encountered: