From 2319bf8ac74f9f90c3d3592892f37cfabc88f621 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sun, 3 May 2026 12:57:18 -0500 Subject: [PATCH] Trellis SSL docs: Add vm trust commands --- trellis/ssl.md | 45 ++++++++++++--------------------------------- 1 file changed, 12 insertions(+), 33 deletions(-) diff --git a/trellis/ssl.md b/trellis/ssl.md index ef99ce22..3117b7eb 100644 --- a/trellis/ssl.md +++ b/trellis/ssl.md @@ -1,5 +1,5 @@ --- -date_modified: 2026-03-06 13:00 +date_modified: 2026-05-03 12:00 date_published: 2015-09-06 07:42 description: Enable HTTPS in Trellis with automatic Let's Encrypt certificates, manually provided SSL certificates, or self-signed certificates for local development. title: SSL Certificates in Trellis @@ -195,54 +195,33 @@ example.com: #### Lima -Lima does not support automated SSL handling yet, but you can follow these manual steps to have macOS trust the self-signed certificate. - -1. Enter the Lima VM from your Trellis project directory: +Trust the Lima VM's self-signed certificate so browsers and host-side tooling stop showing warnings: ```shell -$ trellis vm shell +$ trellis vm trust ``` -2. Copy the generated certificate somewhere readable: - -```shell -$ sudo cp /etc/nginx/ssl/example.com.cert /tmp/ -``` +This pulls the cert and key out of the VM, exports them to `~/.local/share/trellis/ssl/-/`, and trusts the cert in the macOS login keychain and every Firefox profile. Re-runs are safe: if the cert is already trusted, the command reports it and does nothing. -3. Exit the VM: +Firefox support requires `certutil` (install via `brew install nss` on macOS or `apt install libnss3-tools` on Linux). On Linux, pass `--trust-system` to also add the cert to the system trust store. -```shell -$ exit -``` +Available flags: -4. Copy the certificate from the VM to your host machine +- `--site` — only trust the cert for the named site +- `--no-export-key` — skip exporting the private key to the host -Note: you will need the VM’s name.. If you don’t remember your Lima VM name, you can list all VMs: +To reverse trust entries added by this project: ```shell -$ limactl list +$ trellis vm untrust ``` -Then copy the cert using your Lima instance name: +To print the host paths of the exported cert and key per site: ```shell -$ limactl copy :/tmp/example.com.cert ~/Downloads/ +$ trellis vm trust paths ``` -5. Move the certificate somewhere that makes sense to you: - -```shell -$ mkdir -p ~/.ssh/lima && mv ~/Downloads/example.com.cert ~/.ssh/lima/ -``` - -6. Trust the certificate on macOS: - -```shell -$ security add-trusted-cert -k ~/Library/Keychains/login.keychain-db ~/.ssh/lima/example.com.cert -``` - -After this, your local site should load in the browser without warnings. - ## HSTS Trellis sets [HSTS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) headers for better security. HSTS will ensure all traffic to your site is being served over HTTPS automatically.