Localhost SSL cert with Lima

visualasparagus · September 27, 2024, 2:02pm

I see you commented regarding certificate automation being added for Lima in a newer version of Trellis CLI.

However, I cannot find any further documentation of it and these and the related PR’s, while a few years old are still open.

Is there anything you can point me towards to help me set this up?

Thank you in advance!

swalkinshaw · September 27, 2024, 2:17pm

Sorry about that; that functionality has never been added since it relied on that big SSL refactor in Trellis which I never felt comfortable changing a while ago and now it’s quite stale.

visualasparagus · September 27, 2024, 2:32pm

HI @swalkinshaw,

Ok, thanks for the answer. Any tips on setting it up manually? Or is that a complex task?

Best!

swalkinshaw · September 27, 2024, 3:09pm

You basically need to run this command:

security add-trusted-cert -k ~/Library/Keychains/login.keychain $CERTIFICATE_PATH

You can either download the cert from your VM to your local machine, or follow a guide like this one

qwatts-dev · November 19, 2025, 4:42am

I ran into this same issueand here’s the simple workflow that ended up working for me. Since Lima doesn’t have automated SSL handling yet, this is a clean manual approach that stays compatible with Trellis defaults…

1. Enter the Lima VM from your Trellis project directory
Run this inside your Trellis project (the directory containing the trellis folder):

trellis vm shell

2. Copy the generated certificate somewhere readable (I used /tmp)

sudo cp /etc/nginx/ssl/example.com.cert /tmp/

3. Exit the VM

exit

4. Copy the certificate from the VM to your host machine

Note: you will need the VM’s name.. If you don’t remember your Lima VM name, you can list all VMs:

limactl list

Then copy the cert using your Lima instance name:

limactl copy <lima-vm-name>:/tmp/example.com.cert ~/Downloads/

(Copying from /tmp avoids the permission issues you’d hit when pulling directly from /etc/nginx/ssl.)

5. Move the certificate somewhere that makes sense to you
For me, it made sense to keep development certs together in a folder inside my ~/.ssh directory:

mkdir -p ~/.ssh/lima
mv ~/Downloads/example.com.cert ~/.ssh/lima/

6. Trust the certificate on macOS

security add-trusted-cert \
  -k ~/Library/Keychains/login.keychain-db \
  ~/.ssh/lima/example.com.cert

After this, your local https://example.com (or whatever local domain you’re using) should load in the browser without warnings.

This approach kept things simple and avoided modifying permissions inside /etc/nginx/ssl. Hopefully this helps others running Trellis with Lima until official SSL handling is added.

Tetrahedrax · November 20, 2025, 10:05am

Hello! Nice guide! It works!

I had to restart my computer for this to kick in, so if it doesn’t instantly work for someone then try that

Edit: Here’s everything in a single line for easy copy-pasting. Just replace example.com with whatever your site’s domain is and it should work!

trellis vm shell -- sudo cp /etc/nginx/ssl/example.com.cert /tmp/ && limactl copy example.com:/tmp/example.com.cert ~/Downloads/ && mkdir -p ~/.ssh/lima && mv ~/Downloads/example.com.cert ~/.ssh/lima/ && security add-trusted-cert -k ~/Library/Keychains/login.keychain-db ~/.ssh/lima/example.com.cert

ben · November 24, 2025, 6:33pm

@qwatts-dev Thank you for this Just updated https://roots.io/trellis/docs/ssl/ with these steps and added you to the contributors list for the page