How to set up stress-free SSL on an OS X development machine

Only gripe is being told to match Dev with production ... And then develop on Mac OS.<p>Virtual machines are a much cleaner and nicer way to do this. Setting up a wildcard SSL is similarly as simple, an you get the bonus of learning how to do it on a &quot;real&quot; (normal, more standard) server.<p>Example setting up wildcard subdomain SSL cert (self-signed): <a href="https://serversforhackers.com/ssl-certs/" rel="nofollow">https:&#x2F;&#x2F;serversforhackers.com&#x2F;ssl-certs&#x2F;</a>

I use ngrok (<a href="https://ngrok.com/" rel="nofollow">https:&#x2F;&#x2F;ngrok.com&#x2F;</a>), which tunnels a local port and makes it available over ssl on an ngrok.com subdomain.<p>Makes it easy to develop from any machine, and even allows me to check it out from other machines. Including things like browserling.<p>On top of that, it can record and replay requests for you as you debug.

I use multicast DNS so that my server in a development VM can automatically publish a hostname to the host for testing.<p><a href="http://bens.me.uk/2013/multicast-dns-and-development-virtual-machines" rel="nofollow">http:&#x2F;&#x2F;bens.me.uk&#x2F;2013&#x2F;multicast-dns-and-development-virtual...</a><p>This is especially useful as my application is multi-tenant, where you can potentially use lots of different hostnames.<p>I&#x27;m wary of trusting a development certificate on my development machines. One slight misconfiguration, and you&#x27;ve got a CA with a well-known private key which can be used to generate certificates for any name. Which would be very useful for MITMing a rather important machine.<p>I accept the inconvenience of having to click through the warnings, with conscious awareness of what I&#x27;m doing to avoid training myself to ignore them. I&#x27;m not entirely sure which is the bigger risk.

Keychain Access makes creating a certificate authority very easy - you might as well just use that...<p>Besides, I don&#x27;t understand why you would choose not to trust the certificate, then click it and choose to trust it...

&#x2F;etc&#x2F;resolver is pretty cool. I wish it were better-documented &#x2F; better-known. (I guess `man 5 resolver` documents it.)<p>I also wish glibc had something similar.

Instead of dnsmasq you can also use <a href="https://github.com/robbiev/devdns" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;robbiev&#x2F;devdns</a>

Pow is a nice project for handling DNS resolution and forwarding a specific name to a service running on a non-standard port.<p>I&#x27;ve put Apache with a wildcard cert (&amp; local CA) in front of it to handle SSL termination.<p>It&#x27;s very similar to the technique from the article, but I&#x27;ve found the ability to serve requests on the default port to be convenient.

If you&#x27;re using Django, check out the runserver_plus command from django-extensions: <a href="http://django-extensions.readthedocs.org/en/latest/runserver_plus.html#ssl" rel="nofollow">http:&#x2F;&#x2F;django-extensions.readthedocs.org&#x2F;en&#x2F;latest&#x2F;runserver...</a>

I wrote <a href="https://www.npmjs.com/package/crisp" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;crisp</a> a while back, which simplifies a lot of this, it generates a self-signed cert and starts a web server in one move

I usually just use <a href="https://github.com/jugyo/tunnels" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jugyo&#x2F;tunnels</a>.

fyi - I know it&#x27;s a pain but before I got comfortable with unbound&#x2F;dnsmasq I wrote a thing to edit your &#x2F;etc&#x2F;hosts file, which makes it not quite as painful to deal with.<p><a href="https://github.com/kevinburke/hostsfile" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;kevinburke&#x2F;hostsfile</a>

I didn&#x27;t see self-signed certs as an alternative. Isn&#x27;t that a common and reasonable approach?