you can easily import mkcert to do all this, and not need any brew stuff

basically whenever a new domain is added, you run mkcert $(DOMAIN) and it will do all the trick cert trust stuff and gen the cert key and cert pem.

anyway here is the brew problem...

localias run


2023/07/21 11:11:34.192 INFO    admin   admin endpoint started  {"address": "unix//Users/apple/Library/Application Support/localias/caddy.sock", "enforce_origin": false, "origins": [""]}
2023/07/21 11:11:34.202 INFO    tls.cache.maintenance   started background certificate maintenance  {"cache": "0xc000118d20"}
2023/07/21 11:11:34.204 INFO    tls     cleaning storage unit   {"description": "FileStorage:/Users/apple/Library/Application Support/localias/caddy"}
2023/07/21 11:11:34.204 INFO    tls     finished cleaning storage units
2023/07/21 11:11:34.273 WARN    pki.ca.local    installing root certificate (you might be prompted for password)    {"path": "storage:pki/authorities/local/root.crt"}
2023/07/21 11:11:34.381 INFO    warning: "certutil" is not available, install "certutil" with "brew install nss" and try again

This warning (and these logs) are all generated by Caddy, which I'm embedding. mkcert would definitely work to generate certificates but I'd rather let Caddy handle it all for me and not have to write that code myself.

Other than the warning log, was there a problem with the proxying behavior? Or is the issue solely that there is a warning log printed?

Also, do you mind telling me what OS you're on, what version of localias you have installed, and how you installed it?

I am on Mac, Intel.

latest version off git tree.

I could not proxy because of the error. I did not look more deeply into why it was wanting to install CertUtil.

if you need me to try anything just let me know . Happy to try out things here

This is the original of the error:

https://github.com/smallstep/truststore/blob/master/truststore_nss.go

I'm sorry, I cannot reproduce this error. When I run localias for the first time on a clean installation, I see the following logs:

❯ localias run
2023/07/21 18:11:04.031	INFO	admin	admin endpoint started	{"address": "unix//Users/pd/Library/Application Support/localias/caddy.sock", "enforce_origin": false, "origins": [""]}
2023/07/21 18:11:04.031	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0x1400020d650"}
2023/07/21 18:11:04.033	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2023/07/21 18:11:04.033	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2023/07/21 18:11:04.047	WARN	pki.ca.local	installing root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2023/07/21 18:11:04.056	INFO	warning: "certutil" is not available, install "certutil" with "brew install nss" and try again
2023/07/21 18:11:04.056	INFO	define JAVA_HOME environment variable to use the Java trust
Password:
2023/07/21 18:11:16.481	INFO	certificate installed properly in macOS keychain
2023/07/21 18:11:16.498	INFO	tls	cleaning storage unit	{"description": "FileStorage:/Users/pd/Library/Application Support/localias/caddy"}
2023/07/21 18:11:16.498	INFO	http	enabling HTTP/3 listener	{"addr": ":443"}
2023/07/21 18:11:16.498	INFO	tls	finished cleaning storage units
2023/07/21 18:11:16.499	INFO	http.log	server running	{"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/07/21 18:11:16.499	INFO	http.log	server running	{"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/07/21 18:11:16.499	INFO	http	enabling automatic TLS certificate management	{"domains": ["test"]}
2023/07/21 18:11:16.499	INFO	tls.obtain	acquiring lock	{"identifier": "test"}
2023/07/21 18:11:16.519	INFO	tls.obtain	lock acquired	{"identifier": "test"}
2023/07/21 18:11:16.519	INFO	tls.obtain	obtaining certificate	{"identifier": "test"}
2023/07/21 18:11:16.520	INFO	tls.obtain	certificate obtained successfully	{"identifier": "test"}
2023/07/21 18:11:16.520	INFO	tls.obtain	releasing lock	{"identifier": "test"}

Notice that I see the same log line as you:

2023/07/21 18:11:04.056	INFO	warning: "certutil" is not available, install "certutil" with "brew install nss" and try again

That log line is just a warning, it does not cause the command to fail. When the command runs I am prompted to enter my admin password to install the root certificate. After doing so, localias continues to run without issue.

I'm not sure what's going wrong for you, can you please tell me:

• What version of MacOS are you running?
• What commit hash of localias you're using?
• How you are building the localias binary that you're running?
• Are you prompted to enter your admin password in any way when you run localias run?
• Are there any other logs printed after you see the warning: "certutil" is not available log line?
• What does localias debug cert --print show you?
• When you wrote "I could not proxy because of the error." what did you mean?
  • What command did you run?
  • What error did you see?

Closing since I cannot reproduce the problem. I will re-open this if there is actually something going wrong that I can reproduce, or others report a similar issue.

@gedw99 note that mkcert also relies on certutil for NSS truststore support: https://github.com/FiloSottile/mkcert/blob/master/truststore_nss.go#L19. The https://github.com/smallstep/truststore package, which is used by Caddy, is in fact based on mkcert.

A potential improvement could be to rely on the truststore package directly, and to mimick the logic that Caddy executes, before Caddy does its work, just before running the server or starting the daemon. Using a direct call to truststore might also be an option for the debug option to install a root cert in #15.

thanks @peterldowns yep agree this is a good way using truststore.