Show HN: Anchor – developer-friendly private CAs for internal TLS (anchor.dev)
You can add Anchor to your development workflow in minutes. Here's how:
- https://blog.anchor.dev/getting-started-with-anchor-for-loca...
- https://blog.anchor.dev/service-to-service-tls-in-developmen...
We started Anchor because private CAs were a constant source of frustration throughout our careers. Avoiding them makes it all the more painful when you're finally forced to use one. The release of ACME and Let's Encrypt was a big step forward in certificate provisioning, but the improvements have been almost entirely in the WebPKI and public CA space. Internal TLS is still as unpleasant & painful to use as it has been for the past 20 years. So we've built Anchor to be a developer-friendly way to setup internal TLS that fully leverages the benefits of ACME:
- no encryption experience or X.509 knowledge required
- automatically generated system and language packages to manage client trust stores
- ACME (RFC 8555) compliant API, broad language/tooling support for cert provisioning
- fully hosted, no services or infra requirements
- works the same in all deployment environments, including development
If you're interested in more specific details and strategy, our blog posts cover all this and more: https://blog.anchor.dev/
We are asking for feedback on our features for local development, and would like to hear your thoughts & questions. Many thanks!
46 comments
[ 3.3 ms ] story [ 109 ms ] threadIf you need a trusted certificate for local dev, something like Cloudflare Tunnels is more valuable as you can have other folks access the service.
Here's how the architecture you described works with Anchor: assuming your domain is `mycorp.it`, you can add it to your organization. Then create staging & production environments. This provisions a stand-alone CA per environment, and the CA is name constrained for the environment (e.g. only `*.stg.mycorp.it` in staging). Each of the 300 APIs can be registered as a service: this provisions an intermediate CA per environment that is further name constrained (e.g. `foo-api.stg.mycorp.it` in staging). For each service in each environment you generate a set of API tokens (EAB tokens in ACME parlance) that allows your automation to provision server certs with the ACME client of your choice. edit: in your case, cert-manager would be the acme client delegating to Anchor.
I'm not sure a managed service is interesting. The target audience probably mainly wants it fully self-hosted. From quickly skimming the frontpage, quickstart, and terminology it's not at all clear why I need to / want to make an account in order to run / use this service.
Ah, yes, that [mythical] developer which entire company depends on and he has one self-signed certificate to fulfill all the needs.
Everyone else has many developers running many local and not-local development (and not only development) environments which can have a full access to Internet or be isolated.
> doesn't need to be trusted by everyone, as the dev can just add it to their local store
And this is how the certificate warnings starts to be dismissed without reading and this is how the local self-signed certs find a ways to the local stores of the every computer device in the company.
Since I'm also building in this space, I'll give my perspective. Local certificate generation is complicated. If you spend the time, you can figure it out, but it's begging for a simpler solution. You can use tools like mkcert[2] for anything that's local to your machine. However, if you're already using ACME in production, maybe you'd prefer to use ACME locally? I think that's what Anchor offers, a unified approach.
There's a couple references in the Anchor blog about solving the distribution problem by building better tooling[3]. I'm eager to learn more, that's a tough nut to crack. My theory for getlocalcert is that the distribution problem is too difficult (for me) to solve, so I layer the tool on top of Let's Encrypt certificates instead. The end result for both tools is a trusted TLS certificate issued via ACME automation.
1. https://news.ycombinator.com/item?id=36674224
2. https://github.com/FiloSottile/mkcert
3. https://blog.anchor.dev/the-acme-gap-introducing-anchor-part...
You can generate one using openssl and then import it to cert store. That's a few minutes of work to create a script and to me seems much less complex than the alternatives of using some third party service. Reminds me of leftpad.
If you need to write a script, then it's already too complex.
Which solution is less complex? I followed OPs link to Anchor but was prompted to sign on using anorher third-party service which is already more complex in terms of rolling out in a medium sized team.
It’s no longer local development now is it? You are crossing into dev deployment land. Unless you are talking about remote pair programming and setting up a reverse proxy at home to allow your coworker to connect or open some port forwards on your router (in which case, the world can connect).
I’m in the camp that can write a 14 line Golang program that can generate a self-signed cert for whatever you want. Anything that needs a root CA is going to need LetsEncrypt or those god awful mafia-esque geotrust/verisign certs.
The certs should be installed on your OS, not your browser. No trust stores to manage. Firefox will use Windows Certificate store, Mac keychain, Linux /etc/ssl/certs.
For client certificates, you can generate a self-signed <dns-name-dejour> so long as your hosts file points the domain to your container IP or localhost.
It’s not that complicated but it’s not trivial if you don’t understand certificates. Having a SaaS service do this for you I think is overkill. certbot could definitely do this. I think web frameworks should do this as part of their new-project process. Considering the world requires https.
I think that's part of the challenge. Your not "doing local development" or "doing dev deployment". Your trying to solve an evolving set of problems. A local CA works for local, but becomes a pain if you ever need something different.
It's a really hard problem, and the root store programs do amazing work. The proof is that hardly anyone is even aware exist at all! I've also done the "use LE for internal TLS" setup, and it worked great until I hit API limits and everything came grinding to a halt. There's a few advantages to using Anchor as a drop in replacement for LE:
- we use an EAB token ACME workflow, so no need to set DNS records or expose infra to the internet, just push API tokens to containers and provision certs at container boot.
- EAB tokens are scoped to least privilege rules, so your staging tokens can't be used to provision production certs.
- Certs don't show up in public certificate transparency logs.
I just use Let’s Encrypt: https://gruchalski.com/posts/2021-06-04-letsencrypt-certific....
If I need a CA, I go for cfssl.
Fact, I don’t have ACME via my own CA but it’s not necessary anyway if one is using LE.
1. https://alexsci.com/blog/name-non-constraint/
2. https://github.com/Netflix/bettertls/issues/19
I don't have a solid answer, but my hunch for why BetterTLS doesn't place much emphasis on Name Constraints is because they have very limited use in public CAs. The latest cacert.pem bundle from curl only shows 141 certs with name constraints: `curl -s https://curl.se/ca/cacert.pem | certigo dump --json --format PEM | jq '.certificates[] | .name_constraints' | wc -l`
Some solutions (ADCS) obeyed name constraints when signing, but that doesn't help much.
Also - checking the cacert bundle isn't really a good test - that's for roots and you'll not find name constraints there. You'd better look at the thousands of issuing CAs (but the number is still tiny).
EDIT: I currently use mkcert with caddy and it works fine for this.
I don't think I understand your second question, are you asking about cross-signing?
People do weird things with private CAs. Be it for testing or corporate shenanigans, they do want to issue for domains they don't control, data they can't verify, internal identifiers etc. - all in contrast to public/webPKI. This is fine, there's no real downside to letting them do it as it's a private CA after all.
The other thing wasn't cross-signing (not gazing into that abyss!) I just meant issuing a CA from the private root with CA=true so that it can itself issue certificates. Commonly used on MITM proxies/TLS inspection devices - sadly more common than you think, but again no risk to anyone outside of that enterprise. I believe even in some business areas, it's basically required to TLS MITM your users (finance).
Happy to chat more off here if you'd like - email on profile for personal or nick (at) sectigo dot com.
edit: for the laptop problem, we have a CLI toolchain that gets your development environment setup by adding all the necessary CA certs to your local trust store. More about that here: https://blog.anchor.dev/getting-started-with-anchor-for-loca...
Any org that care enough to have an internal PKI (compared to just using e.g public certs for internal dns names or wildcard certs) probably don’t hosting something internally.
But if the pricing is reasonable and help the client situation enough, then I see it could maybe be worth it?
We always build two-tier PKIs, which means your server certificates are issued by intermediate certificates, and those intermediates are issued by a root certificate. In the future, we will let users bring their own root certificate so that we never see your root key material, which you can keep safely in an HSM or KMS.
Does this work in practice? I was under the impression that the extensions for restricting which domains a CA can use weren’t widely supported.
https://github.com/topics/acme
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js: https://github.com/openwrt/luci/blob/master/applications/luc...
https://openwrt.org/docs/guide-user/services/tls/acmesh
https://developer.hashicorp.com/vault/tutorials/secrets-mana... https://github.com/hashicorp/vault :
> Refer to Build Certificate Authority (CA) in Vault with an offline Root for an example of using a root CA external to Vault.
I don’t use services that require external services to auth with. I’ve stopped using GitHub whenever/wherever possible because of the ICE concentration camps thing and your service doesn’t allow me to log in or create an account without using GitHub.
Your website doesn’t say how much it costs.