Obtain self-signed certificate in "staging/developer" enviroment about acmephp HOT 5 CLOSED

Hello!

That looks like an interesting idea, I'll experiment stuff. I get back at you when I have a clear opinion on this :).

Thanks for the feedback!

from acmephp.

Hello @c33s,

I read the link and I think the best way to achieve what you want is to use boulder, the self-hosted Let's Encrypt server. AcmePHP is able to access any server speaking the ACME protocol, so you will be able to request certificates using it.

In my opinion, AcmePHP testing CA (https://github.com/acmephp/testing-ca) is what you need: it's a standalone docker image to run your own version of Let's Encrypt easily. There are two possible ways to use it:

1. As a temporary testing tool, as we do in the AcmePHP test suite: when you want to issue false certificates, you start a container, issue the certificate and stop it right after. The issued certificate will be the exact same as the Let's Encrypt one except for the fact that it will be self-signed.
2. As a real private certificate authority, in which case you could add to all the machines you have the root certificate of your AcmePHP CA instance so you could easily create private, trusted certificates without troubles.

Don't hesitate to ask me if you have questions about this :) .

from acmephp.

first of all thank you for this awesome project!
comming from php/symfony i love having such a cool php implementation of the letsencrypt client.

back to topic: when i think about having to setup all this stuff i feel its really overkill for me. having a vagrant box which uses virtualbox and which is spinning up one machine (in my case a simple php hosting machine) where i also wrote the puppet code to create web user accounts.

there is some piece of puppetcode which execs acmephp and verifies that the everything works but if the letsencrypt server isn't able to answer, which he isn't because i am behind a company firewall where i can't do a nat to my local machine for this domain (which also would require that i have access to the domain management to point the domain to the ip of my company but the domain points to the customers ip)

solutions:

1.) setup the acmephp test suite inside my hosting machine
2.) add some hooks to vagrant to also spin up a docker machine
3.) setup a multibox vagrant file to spin up a 2nd vagrant machine to play acmephptest
4.) add a --create-local-cert-with-openssl flag to acmephp

ad 1) this would add a lot of conflicting stuff in the machine and also require to create a switch in the puppetcode to detect if its inside vagrant or not. but i want to test the puppetcode and not add the switch inside there.

ad 2) possible but here i also have to add different configs to correctly map the domain name of letsencrypt to the private lan ip for my ca server. also i see a lot of work to get vagrant and docker cleanly work together (on a windows machine. its often not that easy to get docker up and running)

ad 3) also possible but compareable with 2). and a multibox vagrant setup which also requires stronger development machines with more ram... slower development because of the overhead of the 2nd machine... (also fits into 2)

ad 4) for me personally encapsulating it in the acmephp client would be awesome. setting environment variables or calling it with the console flag is no external overehead and if acmephp calls the command line openssl or uses the internal lib to create a self signed certificate, this would a real helpful.

what do you think about it?

from acmephp.

I'm sorry I did not answer you, please don't hesitate to ping me if you need more help.

from acmephp.

If you're talking about the root certificate, it's used in the test https://github.com/acmephp/acmephp/blob/master/tests/run.sh#L8-L25

from acmephp.