mkcert | Create self signed ssl certificates without OpenSSL | TLS library

This is worked around in DDEV v1.18.2+ (and v1.19+), please upgrade. It was a bug in docker-compose 2.2.0+ - please see https://github.com/drud/ddev/issues/3404 for context.

Short answer: Yes you can

The certificate doesn't make difference of "frontend" or "backend" things.

It "take" only the FQDN given on creation and generally a certificate is valid for use on a single fully qualified domain name (FQDN), but it's out of scope of this question.

What I mean is, if you create a certificate for only 127.0.0.1 and you try to load it from 192.168.1.96, you will see the certificate as invalid.

In your case, as you created the certificate for both local network IP and the public IP, then whatever you load the cert from localhost or 192.168.1.96, the certificate is valid.

In comments, you say you are compiling for OpenSSL 1.1.1.

Direct access to OpenSSL struct members, such as in pkey->pkey.rsa, is no longer possible in OpenSSL 1.1.x onward, as OpenSSL has moved away from using typed struct pointers and now uses opaque pointers instead. The reason is so that OpenSSL structs can now change layout between versions without breaking code, something that wasn't really possible before 1.1.0.

Per OpenSSL's wiki: OpenSSL 1.1.0 Changes

All structures in libssl public header files have been removed so that they are "opaque" to library users. You should use the provided accessor functions instead

As such, you now have to use individual getter/setter functions for each member. In this case, I think it is EVP_PKEY_get1_RSA(), eg:

After lots of debugging I found what was causing this issue. This was caused by Phusion Passengers instantiation of the application.

It simply uses two different paths when initializing the app. One for http and one for https.

The standard path it uses for http config is:

/etc/apache2/conf.d/userdata/std/2_4/YOUR_USERNAME/YOUR_DOMAIN/YOUR_APP_NAME.conf

Not sure why but Phusion Passenger does not automatically create the correct path for SSL when you register your application in cpanel, meaning it can not find a path for https application config.

I had to manually create the folders and then copy the config file from the above path to it. It looks like this:

/etc/apache2/conf.d/userdata/ssl/2_4/YOUR_USERNAME/YOUR_DOMAIN/YOUR_APP_NAME.conf

If you update one config file you need to update the other as they should be identical.

The command line from the [cpanel documentation][1] did not work for me because the folders did not exist and were not automatically created when the app was registered.

The command line I'm referring to from the above documentation is:

Took a while, but I figured it out!

First transfer copy of the rootCA.pem cert file from laptop to phone.

File location found via CLI: mkcert -CAROOT

Then install the cert file in Android settings, the location of which varies per device and Android version.

In my phone it was in: Android Settings / General / Lock screen & security / Encryption & credentials / Install from storage

You might have to restart the phone. Also might have to click TRUST on the cert in Android settings.

Then enable Firefox secret settings by clicking multiple times on the Firefox logo in the About page, then in secret settings enable "Use third party CA certificates".

Voila!

The solution was to amend my package.json file to look like this:

The issue was caused by the latest version of Cisco AnyConnect Secure Mobility Client (4.10) installed on the host computer. After downgrading Cisco AnyConnect software to version 4.9 everything works as expected.

Your mkcert CA has been orphaned.

Please try mkcert -uninstall and then mkcert -install

Then edit or remove the existing mkcert_caroot in your ~/.ddev/global_config.yaml

Edit 2021-04-13: The current Docker Desktop Tech Preview for Apple M1 (RC3) works fine with ddev.