Mix phx.gen.cert for wildcard certs

I’m creating a white label site for elixir user groups.

One of the main ideas is that I want to subdomain each user group. ie: I own elixir.group and I want to setup a group as pdx.elixir.group

I’ve been able to successfully setup self signed certs for just a single domain locally via mix phx.gen.cert which fyi is awesome ! but I’m having a hard time trying to get a wildcard cert working. Any pointers?

Has anyone else been able to successfully do this locally?

1 Like

It works for me:

$ mix phx.new wildcard --no-ecto --no-webpack
* creating wildcard/config/config.exs
* creating wildcard/config/dev.exs
[...snip...]
$ cd wildcard
$ mix phx.gen.cert localhost "*.localhost"
* creating priv/cert/selfsigned_key.pem
* creating priv/cert/selfsigned.pem
[..snip...]
$ vim config/dev.exs
# Edit as instructed
$ sudo vim /etc/hosts
# Add localhost subdomain
$ head -1 /etc/hosts
127.0.0.1 localhost localhost.localdomain test.localhost
$ iex -S mix phx.server
Erlang/OTP 21 [erts-10.1] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [hipe]

[info] Running NewV140Web.Endpoint with cowboy 2.6.0 at https://localhost:4001
[info] Running NewV140Web.Endpoint with cowboy 2.6.0 at https://localhost:4001
Interactive Elixir (1.7.3) - press Ctrl+C to exit (type h() ENTER for help)
iex(1)> 

Opening https://localhost:4001/ and https://test.localhost:4001/ works in both Chrome and Firefox. Of course I need to confirm trusting the self-signed cert, but that’s expected.

Can you please clarify what’s not working for you?

1 Like

You should try to trust the cert and see if its still working for you.

Also I don’t think you need to update the ect/host file to get subdomains working.

Also I can confirm that the primary domain does end up working with the cert but for some reason *.localhost does not seem to be enough for the subdomains to work.

When I say it works, I mean this: when I click through the browser’s warning screen, the site loads, I can navigate the site, page assets load, AJAX requests and websocket connections work, and secure cookies work as expected. This is what I need for local testing.

I fully expect the browser to continue to show the site as ‘not secure’. The fact that I approved a certificate exception does not mean it is now safe to submit credit card details or important credentials. This is really for testing purposes only.

Now, Chrome has this flag to ‘accept self-signed certificates on localhost’. Perhaps this prevents the security popup or the ‘Not secure’ indication. But I guess that feature only applies to the ‘localhost’ domain itself. Anyway, that’s a Chrome feature, it has nothing to do with the contents of the certificate.

As you can see in my later screen shot I’ve already approved the certs and have set the flag in chrome. I have also tried this in other browsers too with no luck.