科技回声

Hi HN! I'm Ben, co-founder of Anchor (<a href="https://anchor.dev/" rel="nofollow noreferrer">https://anchor.dev/</a>). Anchor is a hosted service for ACME powered internal X.509 CAs. We recently launched our features & tooling for local development. The goal is to make it easy and toil-free to develop locally with HTTPS, and also provide dev/prod parity for TLS/HTTPS encryption.You can add Anchor to your development workflow in minutes. Here's how:- <a href="https://blog.anchor.dev/getting-started-with-anchor-for-local-development-6dd2cd605c08" rel="nofollow noreferrer">https://blog.anchor.dev/getting-started-with-anchor-for-loca...</a>- <a href="https://blog.anchor.dev/service-to-service-tls-in-development-d0df479d67ce" rel="nofollow noreferrer">https://blog.anchor.dev/service-to-service-tls-in-developmen...</a>We started Anchor because private CAs were a constant source of frustration throughout our careers. Avoiding them makes it all the more painful when you're finally forced to use one. The release of ACME and Let's Encrypt was a big step forward in certificate provisioning, but the improvements have been almost entirely in the WebPKI and public CA space. Internal TLS is still as unpleasant & painful to use as it has been for the past 20 years. So we've built Anchor to be a developer-friendly way to setup internal TLS that fully leverages the benefits of ACME:- no encryption experience or X.509 knowledge required- automatically generated system and language packages to manage client trust stores- ACME (RFC 8555) compliant API, broad language/tooling support for cert provisioning- fully hosted, no services or infra requirements- works the same in all deployment environments, including developmentIf you're interested in more specific details and strategy, our blog posts cover all this and more: <a href="https://blog.anchor.dev/" rel="nofollow noreferrer">https://blog.anchor.dev/</a>We are asking for feedback on our features for local development, and would like to hear your thoughts & questions. Many thanks!

8 条评论

westurner超过 1 年前

What advantages over say, smallstep/certificates, letsencrypt/boulder, django-ca, square/certstrap, or hashicorp/vault (and e.g. OpenWRT's luci-app-acme ACMEv2 GUI) does Anchor offer?<a href="https://github.com/topics/acme">https://github.com/topics/acme</a>applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js: <a href="https://github.com/openwrt/luci/blob/master/applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js">https://github.com/openwrt/luci/blob/master/applications/luc...</a><a href="https://openwrt.org/docs/guide-user/services/tls/acmesh" rel="nofollow noreferrer">https://openwrt.org/docs/guide-user/services/tls/acmesh</a><a href="https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-engine" rel="nofollow noreferrer">https://developer.hashicorp.com/vault/tutorials/secrets-mana...</a> <a href="https://github.com/hashicorp/vault">https://github.com/hashicorp/vault</a> :> Refer to Build Certificate Authority (CA) in Vault with an offline Root for an example of using a root CA external to Vault.

评论 #38100444 未加载

candiddevmike超过 1 年前

I'm not sure I understand the value prop. For localhost, you typically just generate a self-signed certificate that doesn't need to be trusted by everyone, as the dev can just add it to their local store. There are also other services that provide ACME certificates for localhost domains, basically what you do for free (I can't find a link to one but it was posted on HN recently).If you need a trusted certificate for local dev, something like Cloudflare Tunnels is more valuable as you can have other folks access the service.

评论 #38100637 未加载

评论 #38099055 未加载

评论 #38099062 未加载

评论 #38100334 未加载

评论 #38098887 未加载

moqmar超过 1 年前

I don't really understand how "hosted" and "internal" go together here - does this mean that a) the devices I need certificates for must connect to your servers, and that b) your servers could theoretically sign certificates for devices which do not exist? If so, especially for the latter point, this IMO isn't really useful for any real-world application, as the most important things of a CA is control.

评论 #38100023 未加载

samcat116超过 1 年前

Does this help at all with the issue of deploying the root CA cert on every device that will interact with services with these certs deployed? That seems to me to be the hardest part about running an internal CA. You've got to put it on everyones laptops as well as all your servers.

评论 #38099351 未加载

tomjen3超过 1 年前

How is this better than using the internal tls setting for caddy?

评论 #38099204 未加载

sneak超过 1 年前

Feedback:I don’t use services that require external services to auth with. I’ve stopped using GitHub whenever/wherever possible because of the ICE concentration camps thing and your service doesn’t allow me to log in or create an account without using GitHub.Your website doesn’t say how much it costs.

Show HN: Anchor – developer-friendly private CAs for internal TLS

8 条评论

Show HN: Anchor – developer-friendly private CAs for internal TLS

8 条评论