How to get a letsencrypt dev certificate on a mac

For a number of my projects, I purchase a .dev domain for local development. I configure DNS to point to 127.0.0.1 or similar.

Most of the time I can get away with using a self-signed certificate, which I generate using the following commands:

Generating a self-signed certificate

This generates a wildcard certificate for *.domain.dev as well as the raw domain domain.dev.

Things to change if you’re going to use this for your own projects:

• paths that make sense for your project (I’m using priv/cert/ from my project root)
• C=ZA/ST=Gauteng/O=ProjectName to your country, state, organisation and common name
• domain.dev to your domain (everywhere)
• Your own CA key and certificate which needs to be loaded into the system keychain

mkdir -p priv/cert/
openssl genrsa -out priv/cert/server.key 2048
openssl req -new -sha256 \
  -key priv/cert/server.key \
  -subj "/C=ZA/ST=Gauteng/O=ProjectName/CN=*.domain.dev" \
  -reqexts SAN -extensions SAN -config <(cat /private/etc/ssl/openssl.cnf \
  <(printf '[SAN]\nsubjectAltName=@alt_names\n\n[alt_names]\nDNS.1 = domain.dev\nDNS.2 = *.domain.dev')) \
  -out priv/cert/server.csr
openssl x509 -req \
  -extfile <(printf "subjectAltName=@alt_names\n\n[alt_names]\nDNS.1 = domain.dev\nDNS.2 = *.domain.dev") \
  -in priv/cert/server.csr \
  -CA ~/.ssh/myCA.pem -CAkey ~/.ssh/myCA.key -CAcreateserial \
  -days 397 -sha256 \
  -out priv/cert/server.crt

This works fine for most of my projects, but for a few I need a proper SSL certificate.

Generating a LetsEncrypt certificate

For some things, you need a certificate with a trusted root CA.

Typically, I would just SSH onto one of my Linux servers and generate a certificate there, then copy it back to my Mac. It’s not too tedious because each certificate from LetsEncrypt lasts 3 months.

Last night, I decided that there must be a way to do it directly on my Mac. I use Cloudflare so I can use DNS validation, which means no hosting needs to be running for this to work. (You could also do it with manual DNS validation)

Install certbot (this is the easy part):

brew install certbot

but then you can’t just install the Cloudflare plugin via Homebrew. You have to install it via PIP, but Hombrew’s certbot has it’s own virtual environment.

This then is how to install the Cloudflare plugin (from this issue):

$(brew --prefix certbot)/libexec/bin/python -mpip install certbot-dns-cloudflare

Before you create the certificate, create a ~/.cloudflare.ini file with the following

dns_cloudflare_api_token=<your token>

This is the command to generate the certificate:

sudo certbot certonly --agree-tos -m '<your email>' \
-d '<your domain>' -d '*.<your domain>' \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.cloudflare.ini \
--dns-cloudflare-propagation-seconds 30 \
--preferred-challenges dns-01

You can then find the certificate and key files in /etc/letsencrypt/live/<your domain>/