mkcert + 1pass to securely serve jupyter notebooks on .local over https

jupyter-https.md

Howto

$ mkcert --install  # to generate and install your root ca
$ mkcert myserver.local # to generate certificate

Then to enable https in jupyter use this snipped (it assumes your pem and key.pem files are in ~/.jupyter)

from pathlib import Path
c.NotebookApp.keyfile, c.NotebookApp.certfile = sorted(map(str,Path.home().glob('.jupyter/*.pem')))

1password setup

I don't like the fact that mkcert keeps the rootCA unencrypted so I've put it to 1password and I'm using mkcert with a wrapper that brings the key back only when mycert is being used.

Here is a zsh snipped to get this working:

function mkcert() {
    MKCERT_CMD=$(which -p mkcert 2>/dev/null || which mkcert)
    [ -x "$MKCERT_CMD" ] || { echo "Error: mkcert not found in PATH." >&2; return 1; }
    DEFAULT_CAROOT=$("$MKCERT_CMD" --CAROOT)
    TEMP_CAROOT=$(mktemp -d /tmp/mkcert_caroot.XXXXXX)
    # trap to clean up the temp dir at the exit
    trap "rm -rf \"$TEMP_CAROOT\"" EXIT
    cp "$DEFAULT_CAROOT/rootCA.pem" "$TEMP_CAROOT/" || { echo "Error: Failed to copy rootCA.pem." >&2; return 1; }
    op read -o "$TEMP_CAROOT/rootCA-key.pem" -f -n "op://Personal/mkcert/rootCA-key.pem" >/dev/null || { echo "Error: Failed to retrieve rootCA-key.pem from 1Password." >&2; return 1; }
    chmod 600 "$TEMP_CAROOT/rootCA-key.pem"

    CAROOT="$TEMP_CAROOT" "$MKCERT_CMD" "$@"
}

Doing this second time, I have a few tips to get it. up and running.

1. make sure that mkcert_wrapped is aliased to mkcert so that you are installing the same cert that on other machines.
2. to install brew install mkcert
3. copy cert root CA public file from 1password
4. do mkcert --install && mkcert .. to create certs
5. copy certs with scp *.pem serv@~/.jupyter/
6. expose jupyter

 c.NotebookApp.ip = '0.0.0.0'
 c.NotebookApp.allow_origin = '*'