4483d8f251
This commit adds a root certificate & an issued end-entity certificate (plus accompanying private keys) for the Pebble API. By default the EE cert has SANs for `127.0.0.1`, `pebble`, and `localhost`. READMEs are added to explain the cert generation & **DANGER** around adding the CA to a prod trust store. Pebble's default config is updated to use the EE cert & the `pebble` command now invokes `http.ListenAndServeTLS`. This will make Pebble a better test server since the ACME specification [says](https://tools.ietf.org/html/draft-ietf-acme-acme-08#section-6.1): > Use of HTTPS is REQUIRED. Resolves https://github.com/letsencrypt/pebble/issues/63 |
||
|---|---|---|
| .. | ||
| localhost | ||
| README.md | ||
| pebble.minica.key.pem | ||
| pebble.minica.pem | ||
README.md
certs/
This directory contains a CA certificate (pebble.minica.pem) and a private key
(pebble.minica.key.pem) that are used to issue a end-entity certificate (See
certs/localhost) for the Pebble HTTPS server.
To get your testing code to use Pebble without HTTPS errors you should
configure your ACME client to trust the pebble.minica.pem CA certificate. Your
ACME client should offer a runtime option to specify a list of root CAs that you
can configure to include the pebble.minica.pem file.
Do not add this CA certificate to the system trust store or in production code!!! The CA's private key is public and anyone can use it to issue certificates that will be trusted by a system with the Pebble CA in the trust store.
To re-create all of the Pebble certificates run:
minica -ca-cert pebble.minica.pem \
-ca-key pebble.minica.key.pem \
-domains localhost,pebble \
-ip-addresses 127.0.0.1
From the test/certs/ directory after installing
MiniCA