mix attesto_phoenix.gen.dev_https (AttestoPhoenix v1.2.0)

Copy Markdown View Source

Sets up a locally-trusted TLS certificate so a dev endpoint can serve https://localhost with no tunnel and no downgrade.

attesto requires an https issuer (RFC 8414 §2), so a plain http://localhost dev server cannot drive the OAuth / MCP flow. This task generates a certificate from a local certificate authority — mkcert — that your machine already trusts, so https://localhost works everywhere with no -k and no self-signed warnings.

The task:

  1. checks mkcert is on your PATH (printing install guidance if not),
  2. creates the cert directory (default priv/cert),
  3. runs mkcert -install (idempotent — trusts the local CA on this machine),
  4. writes localhost.pem + localhost-key.pem for the requested hosts,
  5. ensures the cert directory is git-ignored, and
  6. prints the exact config/dev.exs one-liner to wire it up.

Re-running regenerates cleanly.

Example

mix attesto_phoenix.gen.dev_https

Then wire it into config/dev.exs (the task prints this):

config :my_app, MyAppWeb.Endpoint, https: AttestoPhoenix.DevTLS.https_opts(port: 4443)

and make sure your MCP / OAuth issuer is https://localhost:4443.

Options

  • --host - the space-separated host list the certificate is valid for. Defaults to localhost 127.0.0.1 ::1.
  • --dir - the directory the cert/key are written to. Defaults to priv/cert.

Production

mkcert is a local dev CA. Never run mkcert -install or use these certificates on a server or in CI — production terminates TLS at the load balancer / ingress with a real CA certificate.