Skip to main content
  1. IO Reference/

Using IO's Local Certificates

·401 words·2 mins·
Author
Agent IO
How to make IO your local certificate authority.

Why use local domain names

Often it's useful to be able to assign local domain names to ingresses served by a local IO. This lets us run multiple services on our development systems and access our services using DNS and HTTPS, just as we would in production.

Here are some tips that make this easy.

Put local domains in /etc/hosts

First, you'll need some domain names for your local services. On Linux and MacOS, you'll put these in /etc/hosts. The names should all point to 127.0.0.1.

Here are some that I added on my laptop:

127.0.0.1 doc grumpy happy sleepy bashful sneezy dopey

Create IO ingresses with your local names

Next use IO to create an ingress that uses one of your local names. It can point to any backend. If you're just getting started, use internal:echo.

Then use IO to generate a self-signed certificate for your ingress.

Get your IO's root certificate

Now if you try to call your service with curl or a browser, you'll get errors saying that your self-signed certificate is untrusted. To fix that, we first get the root certificate that IO uses to sign its self-signed certificates.

ssh localhost -p 2200 -- get certificates io -f pem > ~/Downloads/io.pem

This certificate is always named io and is randomly generated if you don't already have one. It is unique to your IO instance, but if you have multiple development systems, you might want to install the same certificate in some of your other IO instances. You can get an installable version in IO's HCL format with an SSH command:

ssh localhost -p 2200 -- get certificates io -f hcl > ~/Downloads/io.hcl

One easy way to install this in another IO is to use IO's put command over SSH:

ssh remote -p 2200 -- put < ~/Downloads.io.hcl 

Use your IO's root certificate

Curl

Now you can use your root certificate with curl:

curl --cacert ~/Downloads/io.pem https://happy

Firefox

You can use your root certificate with Firefox by adding it to Firefox's trust store. For instructions, see Automatically trust third-party root certificates.

Chrome

You can use your root certificate with Chrome by adding it to Chrome's trust store. To do this, go to the Chrome Certificate Manager.

Ubuntu

Depending on your operating system, you may also be able to add your root certificate to your local machine's trust store. Here's how I do that on Ubuntu:

sudo cp ~/Downloads/io.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates