SSL certificates can cause problems

[alwaysblank]

In my case, after setting up local-vip and running the cert-build command as described in the README, I was unable to access my site: All browsers returned a ERR_SSL_UNRECOGNIZED_NAME_ALERT.

The altis-proxy docker container was also throwing errors like this:

21T19:54:25Z" level=error msg="Unable to add a certificate to the entryPoint \"https\" : unable to generate TLS certificate : tls: private key does not match public key"

time="2022-07-21T19:54:25Z" level=error msg="failed to load X509 key pair: tls: private key does not match public key"

Ultimately the following steps solved the problem for me but they are not really generalizable at this time:

1. edit vendor/humanmade/local-vip/.bin/build-cert.sh to remove the line mv ${DOMAIN}.crt ${PWD}/${DOMAIN}.crt because it attempts to move a file to itself, an action which fails and halts the entire script
2. run bash .bin/build-cert.sh nxs.local
3. import the resulting vendor/humanmade/local-vip/nxs.local.crt into my OS via Keychain Access, and then tell my system to trust it
4. stop and restart my server and the altis-proxy docker container

This was caused by a couple things:

• The repo does not ship with any domain-specific keys
• It has instructions for adding keys generated by the above bash command
• This can lead to a situation where the wrong keys are imported (if the proxy isn't restarted)
• This whole process is very messy if it needs to be done every time someone instantiates local-vip for a new project

local-server more or less "just works" and creates every project on altis.dev (from my recollection--I may be wrong) so potentially this should be modified to do the same, with instructions for how to deviate from that, if necessary (and ideally with a more streamlined process).

My understanding is that the proxy and traefik can be used for this, but my grasp of both those things is very limited.

Additionally, the script to build certs contains direct references to Nexstar. So far as I can tell these don't cause any problems on their own, but they should probably be removed.

[alwaysblank]

Relevant Slack thread: https://hmn.slack.com/archives/C03K3J34A/p1658433975359989

[roborourke]

You need the proxy container to have the necessary certs, and you therefore probably can't run an Altis project at the same time as a local-vip one unless you're using the altis.dev TLD for it.

It is probably worth trying to port across the changes from these 2 PRs to add mkcert support for handling HTTPS with custom domains and TLDs easy:

• Add ssl command to download mkcert and generate ssl certificates altis-local-server#465
• Automatically install mkcert if not yet available altis-local-server#479

The new SSL command is available in the Altis v12 beta currently, or master branch of altis/local-server.

[alwaysblank]

This is technically still "open" until 2.0 is released.