Add support for custom certificate provider (ACME server) #1298
Comments
|
This would just be an alternative to how Trellis currently creates a self-signed certificate for local development right? I assume needing a custom CA/ACME server would be very rare for other use cases with Trellis. |
|
I've actually been working on a refactor of TLS certificates with Trellis using Certbot which While it seems nice to take advantage of certbot and just set a different ACME url in dev, there's also https://github.com/FiloSottile/mkcert which seems simpler overall. Though the same caveat applies, it would have to be installed and run both locally and remotely (which Trellis can help manage). |
|
I am using the smallstep CA server and my own CA private key / intermediate private key for signing everything locally used (for internal/development use). All devices trust that CA cert so I can centrally manage the trusted certs without creating a mess. |
|
@strarsis I believe #1310 which I'm hoping to merge soon should solve this for you? Although considering your use case, it has pros and cons. It would definitely let you override However, right now this will always install smallstep and create a CA locally on the server in development which isn't needed in your case. It's not a huge deal, just slower + inefficient, but I'll see if I can make that optional. |
|
Yes, the usage of |
|
I improved #1310 so that the local step-ca server won't be installed if a non-local CA server is specified. So in this case, you can just override the variable in development to whatever your CA host is and everything should work as expected 😄 |
Summary
It would be helpful to add support for custom CA servers (ACME compatible, so basically a LE drop-in replacement).
Motivation
A Trellis local server for local testing should use an existing, private CA (ACME-compatible; smallstep-ca).
Additional context
Related:
#893
#1066
The text was updated successfully, but these errors were encountered: