[feature] Use mkcert for valid local ssl

[tobz-nz]

MKCERT is a simple tool for making locally-trusted development certificates.
Sounds pretty perfect for integration into Valet right?

[tobz-nz]

Just attempting to "sell" this feature.
mkcert would enable:

• support for wildcard certificates
• no SEC_ERROR_UNKNOWN_ISSUER errors

[drbyte]

Seems worth exploring.

[tobz-nz]

I've been manually swapping out some certs in the nginx config and it works great... except for a couple of Valet commands that rebuild those configs..
Would be great to get this built in properly.

I'm happy to work on PR if its likely to go ahead.

[drbyte]

@tobz-nz I took a look at this today for awhile, with a particular goal:

My primary hope was to remove the need to have openssl available, since some people have reported issues with it (which I think are from external apps breaking the core or interfering with dylibs etc).

But if we don't use openssl to generate a CSR then it's much harder to identify certificates in the Keychain as being specific to Valet and needing "cleanup" if people don't use valet unsecure to remove all their generated certs. (ie: sometimes people just delete their ~/.config/valet dir as a cleanup, but this leaves junk in Keychain).
So, I don't think we can drop openssl as I'd hoped.

That doesn't mean mkcert couldn't be used.

I suppose maybe we could identify some other way to do system cleanup.

While Valet puts its CA in the valet config dir, I suppose if mkcert is generally installed then people can use it to create other non-valet certificates too, so maybe we don't need to even be "valet-specific". Just make sure whatever Valet needs is present when mkcert is called in case someone's run other mkcert commands that might confuse valet.

[drbyte]

I'd welcome seeing a PR with what you come up with.

[tobz-nz]

Cool - I'll look at implementing this when I have some time. 👍

[drbyte]

Or maybe smallstep/certificates

[tobz-nz]

Smallstep seems little bit overkill don't you think?

[tobz-nz]

I'm about 80% through implementing mkcert.

[benjibee]

How'd that last 20% go? I'm looking into the same thing just now, seeing what's out there.

[tobz-nz]

Hi @benjibee - sorry, i never got there. I can't remember exactly where I got to. I'm now using Laravel Sail for all my projects & adding a nginx or caddy image into the mix for ssl, depending on requirements.

Feel free to look at/fork my mkcert branch though https://github.com/tobz-nz/valet/tree/patch-1