SSL/TLS

Lando uses its own Certificate Authority to sign the certs for each service and to ensure that these certs are trusted on our internal Lando network. They should live inside every service at /certs.

/certs
|-- cert.crt
|-- cert.csr
|-- cert.ext
|-- cert.key
|-- cert.pem

Trusting the CA

While Lando will automatically trust this CA internally it is up to you to trust it on your host machine. Doing so will alleviate browser warnings regarding certs we issue.

The default Lando CA should be located at ~/.lando/certs/lndo.site.pem. If you don't see the cert there, try starting up an app. This will generate the CA if its not already there. Note that if you change the Lando domain in the global config you will have differently named certs and you will likely need to trust these new certs and rebuild your apps for them to propagate correctly.

Also note that in accordance with the restrictions on wildcard certs changing the domain may result in unexpected behavior depending on how you set it. For example, setting domain to a top level domain such as test will not work.

That all said, once you've located the correct cert you can add or remove it with the relevant commands below.

macOS

# Add the Lando CA
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/.lando/certs/lndo.site.pem

# Remove Lando CA
sudo security delete-certificate -c "Lando Local CA"

Windows

# Add the Lando CA
certutil -addstore -f "ROOT" C:\Users\ME\.lando\certs\lndo.site.pem

# Remove Lando CA
certutil -delstore "ROOT" serial-number-hex

Debian

# Add the Lando CA
sudo cp -r ~/.lando/certs/lndo.site.pem /usr/local/share/ca-certificates/lndo.site.pem
sudo update-ca-certificates

# Remove Lando CA
sudo rm -f /usr/local/share/ca-certificates/lndo.site.pem
sudo update-ca-certificates --fresh