feat: Custom https cert (#4475)

* feat: add flags to provide custom https cert

* fixup! feat: add flags to provide custom https cert

* fixup! feat: add flags to provide custom https cert

* fixup! feat: add flags to provide custom https cert

* fixup! feat: add flags to provide custom https cert

* fixup! feat: add flags to provide custom https cert

* fixup! feat: add flags to provide custom https cert

---------

Co-authored-by: Peter Bacon Darwin <[email protected]>

packages/wrangler/src/__tests__/dev.test.tsx

@@ -1249,6 +1249,8 @@ describe("wrangler dev", () => {
 			      --routes, --route                            Routes to upload  [array]
 			      --host                                       Host to forward requests to, defaults to the zone of project  [string]
 			      --local-protocol                             Protocol to listen to requests on, defaults to http.  [choices: \\"http\\", \\"https\\"]
+			      --https-key-path                             Path to a custom certificate key  [string]
+			      --https-cert-path                            Path to a custom certificate  [string]
 			      --local-upstream                             Host to act as origin in local mode, defaults to dev.host or route  [string]
 			      --assets                                     Static assets to be served  [string]
 			      --site                                       Root folder of static assets for Workers Sites  [string]

packages/wrangler/src/api/dev.ts

@@ -18,6 +18,8 @@ export interface UnstableDevOptions {
 	bundle?: boolean; // Set to false to skip internal build steps and directly deploy script
 	inspectorPort?: number; // Port for devtools to connect to
 	localProtocol?: "http" | "https"; // Protocol to listen to requests on, defaults to http.
+	httpsKeyPath?: string;
+	httpsCertPath?: string;
 	assets?: string; // Static assets to be served
 	site?: string; // Root folder of static assets for Workers Sites
 	siteInclude?: string[]; // Array of .gitignore-style patterns that match file or directory names from the sites directory. Only matched items will be uploaded.
@@ -174,6 +176,8 @@ export async function unstable_dev(
 		inspectorPort: options?.inspectorPort ?? 0,
 		v: undefined,
 		localProtocol: options?.localProtocol,
+		httpsKeyPath: options?.httpsKeyPath,
+		httpsCertPath: options?.httpsCertPath,
 		assets: options?.assets,
 		site: options?.site, // Root folder of static assets for Workers Sites
 		siteInclude: options?.siteInclude, // Array of .gitignore-style patterns that match file or directory names from the sites directory. Only matched items will be uploaded.

packages/wrangler/src/api/startDevWorker/ProxyController.ts

@@ -58,7 +58,10 @@ export class ProxyController extends EventEmitter {
 		const cert =
 			this.latestConfig.dev?.server?.secure ||
 			this.latestConfig.dev?.inspector?.secure
-				? getHttpsOptions()
+				? getHttpsOptions(
+						this.latestConfig.dev.server?.httpsKeyPath,
+						this.latestConfig.dev.server?.httpsCertPath
+				  )
 				: undefined;
 
 		const proxyWorkerOptions: MiniflareOptions = {

packages/wrangler/src/api/startDevWorker/types.ts

@@ -81,7 +81,13 @@ export interface StartDevWorkerOptions {
 		liveReload?: boolean;
 
 		/** The local address to reach your worker. Applies to remote: true (remote mode) and remote: false (local mode). */
-		server?: { hostname?: string; port?: number; secure?: boolean }; // hostname: --ip, port: --port, secure: --local-protocol
+		server?: {
+			hostname?: string; // --ip
+			port?: number; // --port
+			secure?: boolean; // --local-protocol==https
+			httpsKeyPath?: string;
+			httpsCertPath?: string;
+		};
 		/** Controls what request.url looks like inside the worker. */
 		urlOverrides?: { hostname?: string; secure?: boolean }; // hostname: --host (remote)/--local-upstream (local), port: doesn't make sense in remote/=== server.port in local, secure: --upstream-protocol
 		/** A hook for outbound fetch calls from within the worker. */

packages/wrangler/src/dev.tsx

@@ -116,6 +116,16 @@ export function devOptions(yargs: CommonYargsArgv) {
 				describe: "Protocol to listen to requests on, defaults to http.",
 				choices: ["http", "https"] as const,
 			})
+			.option("https-key-path", {
+				describe: "Path to a custom certificate key",
+				type: "string",
+				requiresArg: true,
+			})
+			.option("https-cert-path", {
+				describe: "Path to a custom certificate",
+				type: "string",
+				requiresArg: true,
+			})
 			.options("local-upstream", {
 				type: "string",
 				describe:
@@ -447,6 +457,8 @@ export async function startDev(args: StartDevOptions) {
 					tsconfig={args.tsconfig ?? configParam.tsconfig}
 					upstreamProtocol={upstreamProtocol}
 					localProtocol={args.localProtocol || configParam.dev.local_protocol}
+					httpsKeyPath={args.httpsKeyPath}
+					httpsCertPath={args.httpsCertPath}
 					localUpstream={args.localUpstream ?? host}
 					localPersistencePath={localPersistencePath}
 					liveReload={args.liveReload || false}
@@ -577,6 +589,8 @@ export async function startApiDev(args: StartDevOptions) {
 			tsconfig: args.tsconfig ?? configParam.tsconfig,
 			upstreamProtocol: upstreamProtocol,
 			localProtocol: args.localProtocol ?? configParam.dev.local_protocol,
+			httpsKeyPath: args.httpsKeyPath,
+			httpsCertPath: args.httpsCertPath,
 			localUpstream: args.localUpstream ?? host,
 			localPersistencePath,
 			liveReload: args.liveReload ?? false,

packages/wrangler/src/dev/dev.tsx

@@ -144,6 +144,8 @@ export type DevProps = {
 	tsconfig: string | undefined;
 	upstreamProtocol: "https" | "http";
 	localProtocol: "https" | "http";
+	httpsKeyPath: string | undefined;
+	httpsCertPath: string | undefined;
 	localUpstream: string | undefined;
 	localPersistencePath: string | null;
 	liveReload: boolean;
@@ -270,6 +272,8 @@ function DevSession(props: DevSessionProps) {
 					hostname: props.initialIp,
 					port: props.initialPort,
 					secure: props.localProtocol === "https",
+					httpsKeyPath: props.httpsKeyPath,
+					httpsCertPath: props.httpsCertPath,
 				},
 				inspector: {
 					port: props.inspectorPort,
@@ -286,6 +290,8 @@ function DevSession(props: DevSessionProps) {
 			props.initialIp,
 			props.initialPort,
 			props.localProtocol,
+			props.httpsKeyPath,
+			props.httpsCertPath,
 			props.localUpstream,
 			props.inspectorPort,
 			props.liveReload,
@@ -445,6 +451,8 @@ function DevSession(props: DevSessionProps) {
 			crons={props.crons}
 			queueConsumers={props.queueConsumers}
 			localProtocol={"http"} // hard-code for userworker, DevEnv-ProxyWorker now uses this prop value
+			httpsKeyPath={props.httpsKeyPath}
+			httpsCertPath={props.httpsCertPath}
 			localUpstream={props.localUpstream}
 			upstreamProtocol={props.upstreamProtocol}
 			inspect={props.inspect}
@@ -464,6 +472,8 @@ function DevSession(props: DevSessionProps) {
 			port={props.initialPort}
 			ip={props.initialIp}
 			localProtocol={props.localProtocol}
+			httpsKeyPath={props.httpsKeyPath}
+			httpsCertPath={props.httpsCertPath}
 			inspectorPort={props.inspectorPort}
 			// TODO: @threepointone #1167
 			// liveReload={props.liveReload}

packages/wrangler/src/dev/local.tsx

@@ -39,6 +39,8 @@ export interface LocalProps {
 	queueConsumers: Config["queues"]["consumers"];
 	localProtocol: "http" | "https";
 	upstreamProtocol: "http" | "https";
+	httpsKeyPath: string | undefined;
+	httpsCertPath: string | undefined;
 	localUpstream: string | undefined;
 	inspect: boolean;
 	onReady:
@@ -93,6 +95,8 @@ export async function localPropsToConfigBundle(
 		crons: props.crons,
 		queueConsumers: props.queueConsumers,
 		localProtocol: props.localProtocol,
+		httpsKeyPath: props.httpsKeyPath,
+		httpsCertPath: props.httpsCertPath,
 		localUpstream: props.localUpstream,
 		upstreamProtocol: props.upstreamProtocol,
 		inspect: props.inspect,

packages/wrangler/src/dev/miniflare.ts

@@ -112,6 +112,8 @@ export interface ConfigBundle {
 	crons: Config["triggers"]["crons"];
 	queueConsumers: Config["queues"]["consumers"];
 	localProtocol: "http" | "https";
+	httpsKeyPath: string | undefined;
+	httpsCertPath: string | undefined;
 	localUpstream: string | undefined;
 	upstreamProtocol: "http" | "https";
 	inspect: boolean;
@@ -594,7 +596,10 @@ async function buildMiniflareOptions(
 
 	let httpsOptions: { httpsKey: string; httpsCert: string } | undefined;
 	if (config.localProtocol === "https") {
-		const cert = await getHttpsOptions();
+		const cert = await getHttpsOptions(
+			config.httpsKeyPath,
+			config.httpsCertPath
+		);
 		httpsOptions = {
 			httpsKey: cert.key,
 			httpsCert: cert.cert,

packages/wrangler/src/dev/proxy.ts

@@ -115,21 +115,29 @@ export async function startPreviewServer({
 	previewToken,
 	assetDirectory,
 	localProtocol,
+	customHttpsKeyPath,
+	customHttpsCertPath,
 	localPort: port,
 	ip,
 	onReady,
 }: {
 	previewToken: CfPreviewToken;
 	assetDirectory: string | undefined;
 	localProtocol: "https" | "http";
+	customHttpsKeyPath: string | undefined;
+	customHttpsCertPath: string | undefined;
 	localPort: number;
 	ip: string;
 	onReady: ((readyIp: string, readyPort: number) => void) | undefined;
 }) {
 	try {
 		const abortController = new AbortController();
 
-		const server = await createProxyServer(localProtocol);
+		const server = await createProxyServer(
+			localProtocol,
+			customHttpsKeyPath,
+			customHttpsCertPath
+		);
 		const proxy = {
 			server,
 			terminator: createHttpTerminator({
@@ -199,12 +207,16 @@ export function usePreviewServer({
 	previewToken,
 	assetDirectory,
 	localProtocol,
+	httpsKeyPath,
+	httpsCertPath,
 	localPort: port,
 	ip,
 }: {
 	previewToken: CfPreviewToken | undefined;
 	assetDirectory: string | undefined;
 	localProtocol: "https" | "http";
+	httpsKeyPath: string | undefined;
+	httpsCertPath: string | undefined;
 	localPort: number;
 	ip: string;
 }) {
@@ -217,7 +229,7 @@ export function usePreviewServer({
 	 */
 	useEffect(() => {
 		if (proxy === undefined) {
-			createProxyServer(localProtocol)
+			createProxyServer(localProtocol, httpsKeyPath, httpsCertPath)
 				.then((server) => {
 					setProxy({
 						server,
@@ -231,7 +243,7 @@ export function usePreviewServer({
 					logger.error("Failed to create proxy server:", err);
 				});
 		}
-	}, [proxy, localProtocol]);
+	}, [proxy, localProtocol, httpsKeyPath, httpsCertPath]);
 
 	/**
 	 * When we're not connected / getting a fresh token on changes,
@@ -579,11 +591,15 @@ const HTTP1_HEADERS = new Set([
 ]);
 
 async function createProxyServer(
-	localProtocol: "https" | "http"
+	localProtocol: "https" | "http",
+	customHttpsKeyPath: string | undefined,
+	customHttpsCertPath: string | undefined
 ): Promise<HttpServer | HttpsServer> {
 	const server: HttpServer | HttpsServer =
 		localProtocol === "https"
-			? createHttpsServer(await getHttpsOptions())
+			? createHttpsServer(
+					await getHttpsOptions(customHttpsKeyPath, customHttpsCertPath)
+			  )
 			: createHttpServer();
 
 	return server

packages/wrangler/src/dev/remote.tsx

@@ -48,6 +48,8 @@ interface RemoteProps {
 	port: number;
 	ip: string;
 	localProtocol: "https" | "http";
+	httpsKeyPath: string | undefined;
+	httpsCertPath: string | undefined;
 	inspect: boolean;
 	inspectorPort: number;
 	accountId: string | undefined;
@@ -422,6 +424,8 @@ export async function startRemoteServer(props: RemoteProps) {
 			? undefined
 			: props.assetPaths?.assetDirectory,
 		localProtocol: props.localProtocol,
+		customHttpsKeyPath: props.httpsKeyPath,
+		customHttpsCertPath: props.httpsCertPath,
 		localPort: props.port,
 		ip: props.ip,
 		onReady: async (ip, port) => {

packages/wrangler/src/dev/start-server.ts

@@ -91,6 +91,8 @@ export async function startDevServer(
 				hostname: props.initialIp,
 				port: props.initialPort,
 				secure: props.localProtocol === "https",
+				httpsKeyPath: props.httpsKeyPath,
+				httpsCertPath: props.httpsCertPath,
 			},
 			inspector: {
 				port: props.inspectorPort,
@@ -172,6 +174,8 @@ export async function startDevServer(
 			crons: props.crons,
 			queueConsumers: props.queueConsumers,
 			localProtocol: props.localProtocol,
+			httpsKeyPath: props.httpsKeyPath,
+			httpsCertPath: props.httpsCertPath,
 			localUpstream: props.localUpstream,
 			upstreamProtocol: props.upstreamProtocol,
 			inspect: true,
@@ -223,6 +227,8 @@ export async function startDevServer(
 			port: props.initialPort,
 			ip: props.initialIp,
 			localProtocol: props.localProtocol,
+			httpsKeyPath: props.httpsKeyPath,
+			httpsCertPath: props.httpsCertPath,
 			inspectorPort: props.inspectorPort,
 			inspect: props.inspect,
 			compatibilityDate: props.compatibilityDate,

packages/wrangler/src/https-options.ts

@@ -1,6 +1,7 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import { getAccessibleHosts } from "miniflare";
+import { UserError } from "./errors";
 import { getGlobalWranglerConfigPath } from "./global-wrangler-config-path";
 import { logger } from "./logger";
 import type { Attributes, Options } from "selfsigned";
@@ -16,11 +17,40 @@ const ONE_DAY_IN_MS = 86400000;
  *
  * The certificates are self-signed and generated locally, and cached in the `CERT_ROOT` directory.
  */
-export function getHttpsOptions() {
+export function getHttpsOptions(
+	customHttpsKeyPath?: string,
+	customHttpsCertPath?: string
+) {
+	if (customHttpsKeyPath !== undefined || customHttpsCertPath !== undefined) {
+		if (customHttpsKeyPath === undefined || customHttpsCertPath === undefined) {
+			throw new UserError(
+				"Must specify both certificate path and key path to use a Custom Certificate."
+			);
+		}
+		if (!fs.existsSync(customHttpsKeyPath)) {
+			throw new UserError(
+				"Missing Custom Certificate Key at " + customHttpsKeyPath
+			);
+		}
+		if (!fs.existsSync(customHttpsCertPath)) {
+			throw new UserError(
+				"Missing Custom Certificate File at " + customHttpsCertPath
+			);
+		}
+		if (hasCertificateExpired(customHttpsKeyPath, customHttpsCertPath)) {
+			throw new UserError("Custom Certificate is invalid");
+		}
+		logger.log("Using custom certificate at ", customHttpsKeyPath);
+
+		return {
+			key: fs.readFileSync(customHttpsKeyPath, "utf8"),
+			cert: fs.readFileSync(customHttpsCertPath, "utf8"),
+		};
+	}
+
 	const certDirectory = path.join(getGlobalWranglerConfigPath(), "local-cert");
 	const keyPath = path.join(certDirectory, "key.pem");
 	const certPath = path.join(certDirectory, "cert.pem");
-
 	const regenerate =
 		!fs.existsSync(keyPath) ||
 		!fs.existsSync(certPath) ||

packages/wrangler/src/pages/dev.ts

@@ -180,6 +180,16 @@ export function Options(yargs: CommonYargsArgv) {
 				describe: "Protocol to listen to requests on, defaults to http.",
 				choices: ["http", "https"] as const,
 			},
+			"https-key-path": {
+				describe: "Path to a custom certificate key",
+				type: "string",
+				requiresArg: true,
+			},
+			"https-cert-path": {
+				describe: "Path to a custom certificate",
+				type: "string",
+				requiresArg: true,
+			},
 			"persist-to": {
 				describe:
 					"Specify directory to use for local persistence (defaults to .wrangler/state)",
@@ -230,6 +240,8 @@ export const Handler = async ({
 	service: requestedServices = [],
 	liveReload,
 	localProtocol,
+	httpsKeyPath,
+	httpsCertPath,
 	persistTo,
 	nodeCompat: legacyNodeCompat,
 	experimentalLocal,
@@ -635,6 +647,8 @@ export const Handler = async ({
 		port,
 		inspectorPort,
 		localProtocol,
+		httpsKeyPath,
+		httpsCertPath,
 		compatibilityDate,
 		compatibilityFlags,
 		nodeCompat: legacyNodeCompat,