lukasa / mkcert Goto Github PK

View Code? Open in Web Editor NEW

94.0 11.0 15.0 361 KB

Customised trust stores for you and your family.

License: Apache License 2.0

Go 99.46% Dockerfile 0.54%

mkcert's Introduction

Mkcert

mkcert.org is a web service that allows you to build customised TLS trust stores.

Currently mkcert is just an API with no pretty frontend. That's in the works.

API

mkcert has the following endpoints:

`GET /labels/`

Returns a JSON object containing one key (Certificates) whose value is a list of all the certificate labels in the default trust store. Each of the items in the list can be passed to the other API endpoints to refer to a certificate.

`GET /generate/<certs>`

Builds a PEM file containing only the root certificates specified. The format of <certs> is a +-separated string. This string will be used to perform 'fuzzy-ish' matching to certificate labels. For example, if one of your <certs> strings is comodo, any label that contains the sequence of characters comodo (case-insensitively) will match.

Therefore, to build a .pem file that contains any GeoTrust certificate and any QuoVadis certificate, you would issue a GET request to /generate/geotrust+quovadis

The response to this request has the body formatted exactly like a .pem file, suitable for saving immediately.

`GET /generate/all/except/<certs>`

Builds a PEM file containing all root certificates except the root certificates specified. The format of <certs> is a +-separated string. This string will be used to perform 'fuzzy-ish' mapping to certificate labels. For example, if one of your <certs> strings is comodo, any label that contains the sequence of characters comodo (case-insensitively) will match.

Therefore, to build a .pem file that contains everything but any GeoTrust certificates and any QuoVadis certificates, you would issue a GET request to /generate/all/except/geotrust+quovadis.

The response to this request has the body formatted exactly like a .pem file, suitable for saving immediately.

`POST /generate/`

Builds a PEM file containing only the root certificates specified. The root certs are specified in the request body. The format of the request body is a JSON list of exact labels to include. That is, to generate a .pem file that contains only the "GeoTrust Global CA" and the "QuoVadis Root CA", you would POST the following body:

["GeoTrust Global CA", "QuoVadis Root CA"]

The response to this request has the body formatted exactly like a .pem file, suitable for saving immediately.

`POST /generate/all/except/`

Builds a PEM file containing all but the root certificates specified. The root certs are specified in the request body. The format of the request body is a JSON list of exact labels to include. That is, to generate a .pem file that contains all the certs except the "GeoTrust Global CA" and the "QuoVadis Root CA", you would POST the following body:

["GeoTrust Global CA", "QuoVadis Root CA"]

The response to this request has the body formatted exactly like a .pem file, suitable for saving immediately.

License

mkcert.org is made available under the Apache 2.0 License. See LICENSE for more details.

mkcert's People

Contributors

Stargazers

Watchers

Forkers

shazow sigmavirus24 simudream digideskio boyvinall phaneendrayeluri anthonyadavisii paddy235 upperlefty mac-chaffee idaniellaw kurtseifried vitalyvaryvdin

mkcert's Issues

Fixup some label parsing

Some of our label parsing produces weird outputs. From /labels/, we have "T\\xc3\\x9c\\x42\\xC4\\xB0TAK UEKAE K\\xC3\\xB6k Sertifika Hizmet Sa\\xC4\\x9Flay\\xc4\\xb1\\x63\\xc4\\xb1s\\xc4\\xb1 - S\\xC3\\xBCr\\xC3\\xBCm 3". That doesn't look quite right to me.

Add Google's CA?

Looks like the certs are missing having Google's CA?

import urllib
import requests
urllib.urlretrieve("https://mkcert.org/generate/","cacert.pem")
r = requests.get('https://google.com', 'cacert.pem')

Throws:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 433, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

mkcert.org is down

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='mkcert.org', port=443): Max retries exceeded with url: /generate/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f4d2e903710>: Failed to establish a new connection: [Errno 110] Connection timed out',))

GET /generate/ is not an ASCII text

Could you please provide API to fetch cadata with comments removed ?
Some comments in downloaded file is not an ASCII text.
I understand that generally this is not a problem, but as for me I can't pass content of generated file into python module pycurl:

# cadata - string with content of downloaded file
c = pycurl.Curl()
c.set_ca_certs(cadata)

ful example - https://github.com/pycurl/pycurl/blob/master/tests/cadata_test.py
pycurl.set_ca_certs (this method appeared in pycurl since version 7.43.0.1)

mkcert.org down?

It seems https://mkcert.org/ is down since yesterday (connection refused).

Any idea when it will be up and running again?

Pin Mozilla's cert

We don't want to expose ourselves to the NSA MITM-ing us. We should pin Mozilla's cert.

Alias labels to something hand-typable

%20-separating things is a pain, especially if I'm going to hand-wget things from CLI.

Better: case-insensitive - or _ separated names. GeoTrust%20Global%20CA+QuoVadis%20Root%20CA -> geotrust-global-ca+quovadis-root-ca

Best: fuzzy-matched names.
GeoTrust%20Global%20CA+QuoVadis%20Root%20CA -> geotrust+quovadis

mkcert.org is down

mkcert.org is down and showing certificate warnings.
The certificate on it is now for ispapi.net

mkcert.org down

Hi,
curl https://mkcert.org/generate/
curl: (7) Failed connect to mkcert.org:443; Connection refused

EC-ACC shouldn't be trusted for certificate issued after 2019

EC-ACC CA certificate shouldn't be trusted for certificate issued after 2019 as noted in https://bugzilla.mozilla.org/show_bug.cgi?id=1621159

With newer cURL's mk-ca-bundle.pl, EC-ACC certificate is ignored on the basis it cannot be used anymore for signing server certificates since 2019, mostly because this policy cannot be expressed in a simple bundle of CA certificates in PEM format.

See curl/curl#8411 in particular curl/curl#8411 (comment) and following comments.

So CA certificates bundle made available by cURL project at https://curl.se/docs/caextract.html doesn't contain EC-ACC anymore.
But the bundle from https://mkcert.org/ still have it.

I believe it should be safe to be as strict as cURL's mk-ca-bundle.pl and have certificate such as EC-ACC being distrusted as the result.

More detail on this CA could be found at https://crt.sh/?CAID=77

Unit tests!

That would be a good idea, eh?

GET https://mkcert.org/labels/ ==> 404

This isn't a bug in the mkcert.org service code, but rather a report of service outage in the https://mkcert.org API.

HTTP/1.1 404 Not Found
Content-Type: text/plain; charset=utf-8
Server: Caddy
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Clacks-Overhead: GNU Terry Pratchett
X-Content-Type-Options: nosniff
Date: Fri, 06 Dec 2019 03:38:28 GMT
Content-Length: 14

404 Not Found

This is the documented interface. I looked in the code and the code still seems to have the logic that responds to this. And it works as advertised when I download it and run it from my machine.

Set filename on download.

Seems like we need to add this header: Content-Disposition: inline; filename="certs.pem"

lukasa / mkcert Goto Github PK

mkcert's Introduction

Mkcert

API

GET /labels/

GET /generate/<certs>

GET /generate/all/except/<certs>

POST /generate/

POST /generate/all/except/

License

mkcert's People

Contributors

Stargazers

Watchers

Forkers

mkcert's Issues

Recommend Projects

Recommend Topics

Recommend Org

`GET /labels/`

`GET /generate/<certs>`

`GET /generate/all/except/<certs>`

`POST /generate/`

`POST /generate/all/except/`