Force new CA to be generated
axelson opened this issue · comments
When I run puma-dev -install
as part of the output I see:
2020/05/13 10:12:56 Existing valid puma-dev CA keypair found. Assuming previously trusted.
However, when I try to visit a puma-dev site I get an Error code: SEC_ERROR_UNKNOWN_ISSUER
SSL error (and I see that the certificate is indeed signed by "Puma-dev Signed").
My hypothesis is that puma-dev thinks that the previous CA keypair was actually trusted but it is not. I previously had a most likely non-fully installed version of puma-dev 0.2, perhaps that's where the non-functional CA keypair found.
So is there a way to force puma-dev -install
to generate a new CA keypair? Or possibly is the root cause a different issue?
Duplicates #84.
There is currently a bug with keychain trust management, tracked in #84. I have a PR drafted (#246) to fix it, but am still trying to get the right level of test coverage. Testing keychain access in CI is brutal.
I suspect the problem is that the CA puma-dev generated has not been properly trusted. To manually trust it:
- Open Keychain Access,
- Find the "Puma-dev CA",
- Hit
⌘+i
to open the details panel - Select
Trust >
- Next to Secure Sockets Layer (SSL), select "Never Trust" and then back to "Always Trust."
To remove the generated Puma-dev CA and regenerate a new CA (key and cert), delete the cert and key files (or the whole directory) at $HOME/Library/ApplicationSupport/io.puma.dev
. This will cause puma-dev -install
to generate a new CA cert/key. However, I expect it won't be trusted due to #84. Do report back!
Totally didn't see #84 when searching for this!
Okay, so I got this working but I had to do more than just mark the certificate as trusted. It didn't work until I also moved the cert to the system certs, restarted my browser, and imported the certificate into the firefox authorities.
Totally didn't see #84 when searching for this!
Understandable. It's super old.
and imported the certificate into the firefox authorities.
AFAIK Firefox maintains its own trust store. Only Safari and Chrome use the macOS Keychain. So, even with the trust settings working correctly, Firefox won't get "hooked up" by default.