Comments (9)
ctz
commented on May 30, 2024
1
mkcert also does all this logic, which covers Firefox and Chrome-on-Linux: https://github.com/FiloSottile/mkcert/blob/master/truststore_nss.go
from rustls.
ctz
commented on May 30, 2024
Hopefully it's clear that none of the repro steps here include configuring your OS and/or browser to trust .tls/ca_cert.pem as a CA. The details of doing that are quite OS- and browser-specific.
from rustls.
Ludea
commented on May 30, 2024
I updated my issue with step to add created cert into system store
from rustls.
ctz
commented on May 30, 2024
I don't think Chrome relies on the ca-certificates package; it maintains its own store. See, eg, https://portswigger.net/burp/documentation/desktop/external-browser-config/certificate/ca-cert-chrome-linux
from rustls.
Ludea
commented on May 30, 2024
:(
I guess it's the same thing for edge / Firefox / safari ?
from rustls.
ctz
commented on May 30, 2024
It differs between browsers and platforms. The value of tools like mkcert is automating it across browsers and platforms.
$ sudo apt-get install mkcert libnss3-tools
(...)
$ mkdir mkcert
$ cd mkcert/
$ mkcert -install
Created a new local CA 💥
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox and/or Chrome/Chromium trust store (requires browser restart)! 🦊
$ mkcert localhost
Created a new certificate valid for the following names 📜
- "localhost"
The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅
It will expire on 13 March 2026 🗓
$ cd ~/rustls
$ cargo run -p rustls-examples --bin tlsserver-mio -- --certs ~/mkcert/localhost.pem --key ~/mkcert/localhost-key.pem --port 8443 http( https://localhost:8443 now works locally in google chrome, curl, etc.)
from rustls.
Ludea
commented on May 30, 2024
I do same step as mkcert : https://github.com/FiloSottile/mkcert/blob/master/truststore_linux.go#L70. So I expect the same thing as you got with my created cert.
Maybe I miss something ?
from rustls.
cpu
commented on May 30, 2024
copy .tls/ca_cert.pem to /usr/local/share/ca-certificates/ca_cert.crt
run sudo update-ca-certificates
...
I do same step as mkcert
That file-path is not the only path mkcert looks at: https://github.com/FiloSottile/mkcert/blob/2a46726cebac0ff4e1f133d90b4e4c42f1edf44a/truststore_linux.go#L36-L48
Have you tried using the upstream mkcert like Ctz described? Did it work?
If mkcert works and your version doesn't it would indicate you're missing some logic that mkcert handles.
from rustls.
Ludea
commented on May 30, 2024
mkcert also does all this logic, which covers Firefox and Chrome-on-Linux: https://github.com/FiloSottile/mkcert/blob/master/truststore_nss.go
I missed that, Thanks for sharing this. I did not know about NSS
from rustls.
Related Issues (20)
- optimize receiving data with TLS 1.2 and aes-128-gcm HOT 1
- optimize receiving data with TLS 1.3 and aes-256-gcm
- optimize server-side full handshakes for TLS 1.2 and 1.3 HOT 1
- Connection::dangerous_extract_secrets returns ConnectionTrafficSecrets::Aes128Gcm even when AES-256-GCM is negotiated
- Error: badRecordMac HOT 4
- Cipher suites configured through WebPkiServerVerifier::builder_with_provider is not working. Client hello contains more cipher suites then it configured. HOT 6
- rand_core::RngCore & CryptoRng support for CryptoProvider HOT 7
- expose more information in ClientHello HOT 4
- No common ciphersuit when FFDHE and ECDHE ciphersuites are available on server and client using TLS 1.2 HOT 4
- US Export control information HOT 4
- doc: AcceptedAlert::write doesn't necessarily write all bytes HOT 7
- Support using rustls without using specific ring or aws-lc-rs apis HOT 2
- Feature request: a way to set/get default ticketer dynamically HOT 6
- Feature Request: Avoid panicking when ring and aws_lc_rs are both specified HOT 19
- Option to Relax SNI Host Name Validation for IP Addresses HOT 7
- unbuffered: B: `CapacityBuffer` for `output_tls.capacity()` HOT 9
- The support for "mipsel-unknown-linux-musl" has failed. HOT 2
- Io(Custom { kind: InvalidData, error: AlertReceived(HandshakeFailure) }) HOT 6
- Linux compilation is slow and seems unable to store compilation results HOT 3
- Incompatible License HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rustls.