Add ssl command to download mkcert and generate ssl certificates #465
Conversation
There was a problem hiding this comment.
Nice start, pretty cool that it works like that. There's a few potential gotchas around the platform installation I've commented on and some linter errors to fix up (some dumb ones but hey).
I think next steps are:
- Add support for reading TLDs to generate certs for from config, default to
altis.devand maybelocalandlocalhostfor now - Update docs, plus FAQ as noted in inline comments
- Run the install and generate subcommands on server start (maybe an option flag or config option to not do this would be useful?)
I'm also thinking in this instance it might be worth punting the code to another class, and making the subcommands into class methods. The same can be said for more of the other commands too so we can maybe refactor at some point. Don't do anything for now, I'm just thinking about code reuse or some of the checks & output.
| break; | ||
| # Windows | ||
| case 'Windows': | ||
| $binary_arch = 'windows-amd64.exe'; |
There was a problem hiding this comment.
Will need to check what the situation with this and WSL is. If you can run .exe from WSL, or global commands from there we might be ok. @missjwo might be able to assist in testing.
There was a problem hiding this comment.
Yes, testing cross-platform was supposed to be the next step. I can do that in a VM.
There was a problem hiding this comment.
WSL won’t replicate accurately within a VM so far as I know, since it’s a VM itself.
For WSL though, the arch will be Linux because it’s literally a Linux VM you’re running inside of.
There was a problem hiding this comment.
If composer is running within WSL, the certificate would be automatically installed to Windows store itself, which is a problem. We'll need to add docs on manually accepting the root CA.
Also, does this mean we do not support Windows itself but rather WSL ? ( I have not used WSL nor Docker on Windows )
There was a problem hiding this comment.
Yeah there was a PR to support windows natively but I think there were some limitations to that. We do have a way to check it’s a WSL environment at least.
There was a problem hiding this comment.
You can run .exe files from WSL https://docs.microsoft.com/en-us/windows/wsl/filesystems
There was a problem hiding this comment.
Happy to test stuff - just let me know when the PR is ready to be tested and what i should be looking out for.
There was a problem hiding this comment.
@shadyvb Correct, only WSL is supported, per https://docs.altis-dxp.com/local-server/windows/
You can execute exe files, yeah; WSL will transparently map execution of those, and execute them. Note though, php_uname( 's' ) will return Linux because it is Linux. We need to use the Command::is_wsl() function to detect WSL, not uname.
Also happy to test with my WSL env, and screenshare as needed.
There was a problem hiding this comment.
Happy to test on my windows machine. Let me know when the PR is ready to be tested.
|
@roborourke the domain detection and programmatic generation has been added to #466 , does not factor |
|
@shadyvb yeah sorry - I was just looking there and realised that. Also verified what I was thinking about localhost and local - I was incorrect. I've linked to an avahi-daemon container that we may be able to use alongside the traefik proxy. My thinking is if we can support .localhost and maybe .local OOTB and document how to add hosts entries for anything else that might be enough. |
|
We can support ANY TLD when it comes to SSL certificates, if .local / .localhost would alleviate the need for DNS resolution then let's do that, unsure about that though. Either way, outside of the scope here. |
There was a problem hiding this comment.
Something just occurred to me re. the DNS resolution etc... right now anything .altis.dev resolves to 127.0.0.1, including sub sub domains like foo.bar.altis.dev.
So - we can keep using altis.dev as the default TLD for local dev, but, we can now generate a certificate for it locally rather than having to purchase or update a real one that only works for *.altis.dev. Not only can we generate a local cert for *.altis.dev, but also for *.<project>.altis.dev. Boom, sub sub domains with https, no need to worry about avahi/zeroconf etc etc...
inc/composer/class-command.php
Outdated
| @@ -211,6 +220,8 @@ protected function get_env() : array { | |||
| protected function start( InputInterface $input, OutputInterface $output ) { | |||
| $output->writeln( '<info>Starting...</>' ); | |||
|
|
|||
| $this->check_ssl_certificate( $input, $output ); | |||
There was a problem hiding this comment.
I don't think we want to do this if the module config has secure set to false.
There was a problem hiding this comment.
Actually, Traefik will still expect the SSL certificate to exist, so it's safer to just generate the file either way.
There was a problem hiding this comment.
Ah right. Hmm. That's based on the current static traefik.toml file right. I was more conscious of this code running on codespaces, not sure if it'll work or not there.
inc/composer/class-command.php
Outdated
| break; | ||
| case 'generate': | ||
| // TODO figure out how to programmatically detect the domains to use. | ||
| $domains = $input->getArgument( 'options' )[1] ?? '*.altis.dev'; |
There was a problem hiding this comment.
I think the default behaviour here should be the following:
- Always generate certs for
<project>.<tld>and*.<project>.<tld>(no harm in them being there by default, even if someone calls the function with other domains, its better to avoid surprises here IMO than assume someone knows it might be a deleterious action if we don't explicitly call that out) - Add support for a list of hosts in the config and merge those in by default too, we can document that custom ones must be pointed to localhost
There was a problem hiding this comment.
Traefik will need to know about the extra domains too 🤔
There was a problem hiding this comment.
Added the extra domains support to nginx ⬆️
There was a problem hiding this comment.
Also added the configured domain(s) to the domains within generate() command as discussed, also altis.dev *.altis.dev.
|
@roborourke there is a dilemma here, when the site name is changed in Related to the custom domain configuration rather than SSL. |
|
Related to the above ^, we can instruct people to destroy containers before changing domains, so we don't have to programmatically do that ( we do have a reference to the previous domain, but don't think it's worth the effort ). |
|
Ah, another issue, since we're generating Traefik's certificate based on the project parameters ( name, tld, extra domains ), the resulting certificate won't really work for other projects (other local-server instances running on the same host), so it'll stop working there IF they're not using the default altis.dev ( which is included in certificate generation now ). |
Not on the proxy itself, but on containers, i.e. you put the domains as labels on web containers, and then query them while regenerating the certificate via something like |
|
.. same can be done if we decide to manage the hosts entry automagically as well, we'd have the list of domains that needs to be added. |
|
Added a notice about missing hosts entries with a full line to copy/paste into /etc/hosts. Next:
|
There was a problem hiding this comment.
One very minor suggestion to just return the exit codes versus using exit( 1 ); but it's up to you, the result is exactly the same.
This is really thorough, well thought out and makes this feature about as helpful for devs as it can possibly be. Great work bud
|
Further actions:
|
| You may find that file sharing performance or server response times are slower than you would like on Windows or MacOS. Local Server provides an experimental integration with [Mutagen](https://mutagen.io/) to resolve this. | ||
|
|
||
| See the [Mutagen set up guide for detailed instructions on how to install and run it](./mutagen-file-sharing.md). | ||
|
|
||
| #### Subdomain and Custom domains in multisites |
There was a problem hiding this comment.
Do we want this under experimental features? Custom domains / codespaces perhaps but I think the SSL stuff itself doesn't need to be considered experimental as we need it to work for the default TLD at the very least.
There was a problem hiding this comment.
It's experimental in the sense that it is tied to custom domains which is experimental 🤔
There was a problem hiding this comment.
Ah, and we might want to remove it altogether in favor of Traefik managing it on its own, given the centralization needed. I'm writing the issue around that that would explain my suggested approach.
There was a problem hiding this comment.
I think it’s fine to not list it as experimental personally, codespaces definitely will be to start with
There was a problem hiding this comment.
@roborourke Updated docs in 2f11c98 , should be ready for a final review.
ref https://github.com/humanmade/product-dev/issues/987