Skip to content

Trellis SSL docs: Add vm trust commands #586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
retlehs merged 1 commit into from
May 3, 2026
+12 −33
Merged

Trellis SSL docs: Add vm trust commands #586

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 12 additions & 33 deletions trellis/ssl.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
date_modified: 2026-03-06 13:00
date_modified: 2026-05-03 12:00
date_published: 2015-09-06 07:42
description: Enable HTTPS in Trellis with automatic Let's Encrypt certificates, manually provided SSL certificates, or self-signed certificates for local development.
title: SSL Certificates in Trellis
Expand Down Expand Up @@ -195,54 +195,33 @@ example.com:

#### Lima

Lima does not support automated SSL handling yet, but you can follow these manual steps to have macOS trust the self-signed certificate.

1. Enter the Lima VM from your Trellis project directory:
Trust the Lima VM's self-signed certificate so browsers and host-side tooling stop showing warnings:

```shell
$ trellis vm shell
$ trellis vm trust
```

2. Copy the generated certificate somewhere readable:

```shell
$ sudo cp /etc/nginx/ssl/example.com.cert /tmp/
```
This pulls the cert and key out of the VM, exports them to `~/.local/share/trellis/ssl/<vm>-<hash>/`, and trusts the cert in the macOS login keychain and every Firefox profile. Re-runs are safe: if the cert is already trusted, the command reports it and does nothing.

3. Exit the VM:
Firefox support requires `certutil` (install via `brew install nss` on macOS or `apt install libnss3-tools` on Linux). On Linux, pass `--trust-system` to also add the cert to the system trust store.

```shell
$ exit
```
Available flags:

4. Copy the certificate from the VM to your host machine
- `--site` — only trust the cert for the named site
- `--no-export-key` — skip exporting the private key to the host

Note: you will need the VM’s name.. If you don’t remember your Lima VM name, you can list all VMs:
To reverse trust entries added by this project:

```shell
$ limactl list
$ trellis vm untrust
```

Then copy the cert using your Lima instance name:
To print the host paths of the exported cert and key per site:

```shell
$ limactl copy <lima-vm-name>:/tmp/example.com.cert ~/Downloads/
$ trellis vm trust paths
```

5. Move the certificate somewhere that makes sense to you:

```shell
$ mkdir -p ~/.ssh/lima && mv ~/Downloads/example.com.cert ~/.ssh/lima/
```

6. Trust the certificate on macOS:

```shell
$ security add-trusted-cert -k ~/Library/Keychains/login.keychain-db ~/.ssh/lima/example.com.cert
```

After this, your local site should load in the browser without warnings.

## HSTS

Trellis sets [HSTS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) headers for better security. HSTS will ensure all traffic to your site is being served over HTTPS automatically.
Expand Down
Loading