Make explicit "mkcert -help" print to stdout (#265)

Currently "mkcert -help" prints to stderr, which is rather annoying as:

	$ mkcert -help | less

Gives us a blank page, as it pipes only stdout. To get any results in
less I need to use:

	$ mkcert 2>&1 | less
	$ mkcert |& less     # Non-standard bash/ zsh

Since the user explicitly asked for help with -help, it doesn't make
much sense to output it to stderr IMHO.

.travis.yml

@@ -7,6 +7,8 @@ script:
         -ldflags "-X main.Version=$(git describe --tags)"
   - CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -o "mkcert-$(git describe --tags)-linux-arm"
         -ldflags "-X main.Version=$(git describe --tags)"
+  - CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o "mkcert-$(git describe --tags)-linux-arm64"
+        -ldflags "-X main.Version=$(git describe --tags)"
   - CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o "mkcert-$(git describe --tags)-darwin-amd64"
         -ldflags "-X main.Version=$(git describe --tags)"
   - CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o "mkcert-$(git describe --tags)-windows-amd64.exe"

README.md

@@ -4,12 +4,11 @@ mkcert is a simple tool for making locally-trusted development certificates. It
 
 ```
 $ mkcert -install
-Created a new local CA at "/Users/filippo/Library/Application Support/mkcert" 💥
+Created a new local CA 💥
 The local CA is now installed in the system trust store! ⚡️
 The local CA is now installed in the Firefox trust store (requires browser restart)! 🦊
 
 $ mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1
-Using the local CA at "/Users/filippo/Library/Application Support/mkcert" ✨
 
 Created a new certificate valid for the following names 📜
  - "example.com"
@@ -72,18 +71,16 @@ brew install mkcert
 or build from source (requires Go 1.13+)
 
 ```
-git clone github.com/FiloSottile/mkcert
+git clone https://github.com/FiloSottile/mkcert && cd mkcert
 go build -ldflags "-X main.Version=$(git describe --tags)"
 ```
 
 or use [the pre-built binaries](https://github.com/FiloSottile/mkcert/releases).
 
-For Arch Linux users, mkcert is available from AUR as [`mkcert`](https://aur.archlinux.org/packages/mkcert/) or [`mkcert-git`](https://aur.archlinux.org/packages/mkcert-git/).
+For Arch Linux users, [`mkcert`](https://www.archlinux.org/packages/community/x86_64/mkcert/) is available on the official Arch Linux repository.
 
-```bash
-git clone https://aur.archlinux.org/mkcert.git
-cd mkcert
-makepkg -si
+```
+sudo pacman -Syu mkcert
 ```
 
 ### Windows
@@ -144,6 +141,14 @@ To only install the local root CA into a subset of them, you can set the `TRUST_
 	    all other flags and arguments except -install and -cert-file.
 ```
 
+> **Note:** You _must_ place these options before the domain names list.
+
+#### Example
+
+```
+mkcert -key-file key.pem -cert-file cert.pem example.com *.example.com
+```
+
 ### S/MIME
 
 mkcert automatically generates an S/MIME certificate if one of the supplied names is an email address.
@@ -156,7 +161,7 @@ mkcert filippo@example.com
 
 For the certificates to be trusted on mobile devices, you will have to install the root CA. It's the `rootCA.pem` file in the folder printed by `mkcert -CAROOT`.
 
-On iOS, you can either use AirDrop, email the CA to yourself, or serve it from an HTTP server. After installing it, you must [enable full trust in it](https://support.apple.com/en-nz/HT204477). **Note**: earlier versions of mkcert ran into [an iOS bug](https://forums.developer.apple.com/thread/89568), if you can't see the root in "Certificate Trust Settings" you might have to update mkcert and [regenerate the root](https://github.com/FiloSottile/mkcert/issues/47#issuecomment-408724149).
+On iOS, you can either use AirDrop, email the CA to yourself, or serve it from an HTTP server. After opening it, you need to [install the profile in Settings > Profile Downloaded](https://github.com/FiloSottile/mkcert/issues/233#issuecomment-690110809) and then [enable full trust in it](https://support.apple.com/en-nz/HT204477).
 
 For Android, you will have to install the CA and then enable user roots in the development build of your app. See [this StackOverflow answer](https://stackoverflow.com/a/22040887/749014).
 

cert.go

@@ -56,6 +56,11 @@ func (m *mkcert) makeCert(hosts []string) {
 	fatalIfErr(err, "failed to generate certificate key")
 	pub := priv.(crypto.Signer).Public()
 
+	// Certificates last for 2 years and 3 months, which is always less than
+	// 825 days, the limit that macOS/iOS apply to all certificates,
+	// including custom roots. See https://support.apple.com/en-us/HT210176.
+	expiration := time.Now().AddDate(2, 3, 0)
+
 	tpl := &x509.Certificate{
 		SerialNumber: randomSerialNumber(),
 		Subject: pkix.Name{
@@ -63,14 +68,8 @@ func (m *mkcert) makeCert(hosts []string) {
 			OrganizationalUnit: []string{userAndHostname},
 		},
 
-		NotAfter:  time.Now().AddDate(10, 0, 0),
-
-		// Fix the notBefore to temporarily bypass macOS Catalina's limit on
-		// certificate lifespan. Once mkcert provides an ACME server, automation
-		// will be the recommended way to guarantee uninterrupted functionality,
-		// and the lifespan will be shortened to 825 days. See issue 174 and
-		// https://support.apple.com/en-us/HT210176.
-		NotBefore: time.Date(2019, time.June, 1, 0, 0, 0, 0, time.UTC),
+		NotAfter:  expiration,
+		NotBefore: time.Now(),
 
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		BasicConstraintsValid: true,
@@ -134,6 +133,8 @@ func (m *mkcert) makeCert(hosts []string) {
 		log.Printf("\nThe PKCS#12 bundle is at \"%s\" ✅\n", p12File)
 		log.Printf("\nThe legacy PKCS#12 encryption password is the often hardcoded default \"changeit\" ℹ️\n\n")
 	}
+
+	log.Printf("It will expire on %s 🗓\n\n", expiration.Format("2 January 2006"))
 }
 
 func (m *mkcert) printHosts(hosts []string) {
@@ -208,7 +209,8 @@ func (m *mkcert) makeCertFromCSR() {
 	if csrPEM == nil {
 		log.Fatalln("ERROR: failed to read the CSR: unexpected content")
 	}
-	if csrPEM.Type != "CERTIFICATE REQUEST" {
+	if csrPEM.Type != "CERTIFICATE REQUEST" &&
+		csrPEM.Type != "NEW CERTIFICATE REQUEST" {
 		log.Fatalln("ERROR: failed to read the CSR: expected CERTIFICATE REQUEST, got " + csrPEM.Type)
 	}
 	csr, err := x509.ParseCertificateRequest(csrPEM.Bytes)
@@ -260,8 +262,6 @@ func (m *mkcert) makeCertFromCSR() {
 func (m *mkcert) loadCA() {
 	if !pathExists(filepath.Join(m.CAROOT, rootName)) {
 		m.newCA()
-	} else {
-		log.Printf("Using the local CA at \"%s\" ✨\n", m.CAROOT)
 	}
 
 	certPEMBlock, err := ioutil.ReadFile(filepath.Join(m.CAROOT, rootName))
@@ -340,7 +340,7 @@ func (m *mkcert) newCA() {
 		&pem.Block{Type: "CERTIFICATE", Bytes: cert}), 0644)
 	fatalIfErr(err, "failed to save CA key")
 
-	log.Printf("Created a new local CA at \"%s\" 💥\n", m.CAROOT)
+	log.Printf("Created a new local CA 💥\n")
 }
 
 func (m *mkcert) caUniqueName() string {

go.mod

@@ -1,4 +1,4 @@
-module github.com/FiloSottile/mkcert
+module filippo.io/mkcert
 
 go 1.13
 

main.go

@@ -20,6 +20,7 @@ import (
 	"path/filepath"
 	"regexp"
 	"runtime"
+	"runtime/debug"
 	"strings"
 	"sync"
 
@@ -78,8 +79,10 @@ const advancedUsage = `Advanced options:
 
 `
 
-// Version is set more precisely at build time.
-var Version = "v1.4.1-dev"
+// Version can be set at link time to override debug.BuildInfo.Main.Version,
+// which is "(devel)" when building from within the module. See
+// golang.org/issue/29814 and golang.org/issue/29228.
+var Version string
 
 func main() {
 	log.SetFlags(0)
@@ -103,12 +106,20 @@ func main() {
 	}
 	flag.Parse()
 	if *helpFlag {
-		fmt.Fprint(flag.CommandLine.Output(), shortUsage)
-		fmt.Fprint(flag.CommandLine.Output(), advancedUsage)
+		fmt.Print(shortUsage)
+		fmt.Print(advancedUsage)
 		return
 	}
 	if *versionFlag {
-		fmt.Println(Version)
+		if Version != "" {
+			fmt.Println(Version)
+			return
+		}
+		if buildInfo, ok := debug.ReadBuildInfo(); ok {
+			fmt.Println(buildInfo.Main.Version)
+			return
+		}
+		fmt.Println("(unknown)")
 		return
 	}
 	if *carootFlag {
@@ -173,18 +184,18 @@ func (m *mkcert) Run(args []string) {
 		var warning bool
 		if storeEnabled("system") && !m.checkPlatform() {
 			warning = true
-			log.Println("Warning: the local CA is not installed in the system trust store! ⚠️")
+			log.Println("Note: the local CA is not installed in the system trust store.")
 		}
 		if storeEnabled("nss") && hasNSS && CertutilInstallHelp != "" && !m.checkNSS() {
 			warning = true
-			log.Printf("Warning: the local CA is not installed in the %s trust store! ⚠️", NSSBrowsers)
+			log.Printf("Note: the local CA is not installed in the %s trust store.", NSSBrowsers)
 		}
 		if storeEnabled("java") && hasJava && !m.checkJava() {
 			warning = true
-			log.Println("Warning: the local CA is not installed in the Java trust store! ⚠️")
+			log.Println("Note: the local CA is not installed in the Java trust store.")
 		}
 		if warning {
-			log.Println("Run \"mkcert -install\" to avoid verification errors ‼️")
+			log.Println("Run \"mkcert -install\" for certificates to be trusted automatically ⚠️")
 		}
 	}
 

mkcert-master.rb

@@ -1,17 +0,0 @@
-# Copyright 2018 The mkcert Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-class MkcertMaster < Formula
-	desc "Simple tool to make locally trusted development certificates"
-	homepage "https://github.com/FiloSottile/mkcert"
-	head "https://github.com/FiloSottile/mkcert.git"
-
-	depends_on "go" => :build
-
-	def install
-		ENV["GOPATH"] = HOMEBREW_CACHE/"go_cache"
-		system "go", "build", "-o", bin/"mkcert"
-		prefix.install_metafiles
-	end
-end

truststore_nss.go

@@ -24,7 +24,11 @@ var (
 		"/etc/pki/nssdb", // CentOS 7
 	}
 	firefoxPaths = []string{
-		"/usr/bin/firefox", "/Applications/Firefox.app",
+		"/usr/bin/firefox",
+		"/usr/bin/firefox-nightly",
+		"/usr/bin/firefox-developer-edition",
+		"/Applications/Firefox.app",
+		"/Applications/FirefoxDeveloperEdition.app",
 		"/Applications/Firefox Developer Edition.app",
 		"/Applications/Firefox Nightly.app",
 		"C:\\Program Files\\Mozilla Firefox",