Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS certs and browser trust idea. #34

Open
gedw99 opened this issue May 17, 2021 · 2 comments
Open

TLS certs and browser trust idea. #34

gedw99 opened this issue May 17, 2021 · 2 comments

Comments

@gedw99
Copy link

gedw99 commented May 17, 2021
edited
Loading

We can create Certs that are trusted in all browsers for local development.

It will make development easier i think and lead to less false positives like:

2021/05/17 13:29:26 http: TLS handshake error from [::1]:50088: remote error: tls: unknown certificate

For Dev environment ...

https://github.com/FiloSottile/mkcert

It is golang and so can be imported or just used independently.

I just hit a problem with running tutorial from the examples dir ( not dist) to do with TLS trust.
mkcert is nice because the many browsers trust the dev server, and so you don't get any false positives and other weird stuff.

http: TLS handshake error from [::1]:63645: remote error: tls: unknown certificate

As an aside, Its important to also turn this off for Prod, since normally the Proxy Server or whatever you use will do this for you.

For Prod environment ...

It might be useful to add LetEncrypt that caddy uses ?

I see two options here:

  1. Get use Caddy, and replace NGinx. The caddy config will then do it all for you.
  2. Use https://github.com/caddyserver/certmagic imported into eliasdb itself. You will need to make this configurable because if your using a Proxy, the proxy ( like Caddy or Nginy or whatever) will do all this for you.

The durable storage of the Certs is also a consideration, because you want all instances in the cluster to share the same Cert.
More info here: https://caddy.community/t/where-does-caddy-keep-their-certificates/4728
Same goes for local Dev too, in that you want the Certs stored globally for all instances.
@gedw99 gedw99 changed the title TLS certs and trust TLS certs and browser trust idea. May 17, 2021
@krotik
Copy link
Owner

krotik commented May 23, 2021

Hey there, thanks for the idea. I think I would rather not take decisions for end users where security certificates are concerned. It is possible to use EliasDB without doing anything. However, the user is then warned that the current state is not ok for long term use. I think this is in the moment a good balance between usability and encouragement to research.

Taking a decision here might put some users at risk as it might not be right for them (and they might not know it). Like the big warning in the browser, sometimes it is better to nudge users to research for themselves and take an informed decision.

I would be all for making the current documentation of EliasDB more clear or give some hints. The addition would need some careful balance in terms of text length and long-term correctness (e.g. links not getting outdated).

@gedw99
Copy link
Author

gedw99 commented May 28, 2021

Ok I can definitely see your point .

if you want me to work on a PR that is decoupled as much as possible just yell

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krotik @gedw99