dearsky/numa
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 25 Wiki Activity

fix CA removal: delete by SHA-1 hash, update README with TLS

Browse Source 
security delete-certificate -c fails when multiple certs match.
Now finds all certs by hash and deletes each individually.
Also updated README with HTTPS, service persistence, and TLS mentions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Razvan Dimescu
2026-03-21 01:35:14 +02:00
parent 5e7a653f9c
commit cfd9a562af
2 changed files with 32 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -8,7 +8,7 @@ Block ads and trackers. Override DNS for development. Name your local services.
- **Ad blocking that travels with you** — 385K+ domains blocked out of the box. Works on any network: coffee shops, hotels, airports. - **Ad blocking that travels with you** — 385K+ domains blocked out of the box. Works on any network: coffee shops, hotels, airports.
- **Developer overrides** — point any hostname to any IP with auto-revert. No more editing `/etc/hosts`. - **Developer overrides** — point any hostname to any IP with auto-revert. No more editing `/etc/hosts`.
- **Local service proxy** — access `frontend.numa`, `api.numa` instead of `localhost:5173`. Clean URLs with WebSocket support for HMR. - **Local service proxy** — access `https://frontend.numa` instead of `localhost:5173`. Auto-generated TLS certs, WebSocket support for HMR.
- **Sub-millisecond caching** — cached lookups in 0ms. Faster than any public resolver. - **Sub-millisecond caching** — cached lookups in 0ms. Faster than any public resolver.
- **Live dashboard** — real-time query stats, blocking controls, override management, local services at `http://numa.numa` (or `localhost:5380`). - **Live dashboard** — real-time query stats, blocking controls, override management, local services at `http://numa.numa` (or `localhost:5380`).
- **Single binary, zero config** — just run it. - **Single binary, zero config** — just run it.
@@ -86,8 +86,10 @@ target_port = 8000
``` ```
- `numa.numa` is pre-configured — the dashboard itself, accessible without remembering the port - `numa.numa` is pre-configured — the dashboard itself, accessible without remembering the port
- **HTTPS with green lock** — auto-generated local CA + per-service TLS certs. `sudo numa install` trusts the CA in your system keychain.
- WebSocket support — Vite/webpack HMR works through the proxy - WebSocket support — Vite/webpack HMR works through the proxy
- Health checks — dashboard shows green/red status for each service - Health checks — dashboard shows green/red status for each service
- Services persist across restarts (`~/.config/numa/services.json`)
- Manage via dashboard UI or REST API - Manage via dashboard UI or REST API
## Resolution Pipeline ## Resolution Pipeline
@@ -197,7 +199,7 @@ REST API on port 5380 (22 endpoints):
| Ad blocking | Yes | Yes | Limited | 385K+ domains | | Ad blocking | Yes | Yes | Limited | 385K+ domains |
| Portable | No (Raspberry Pi) | Cloud only | Cloud only | Single binary | | Portable | No (Raspberry Pi) | Cloud only | Cloud only | Single binary |
| Developer overrides | No | No | No | REST API + auto-expiry | | Developer overrides | No | No | No | REST API + auto-expiry |
| Local service proxy | No | No | No | `.numa` domains + WebSocket | | Local service proxy | No | No | No | `.numa` domains + HTTPS + WebSocket |
| Data stays local | Yes | Cloud | Cloud | 100% local | | Data stays local | Yes | Cloud | Cloud | 100% local |
| Zero config | Complex setup | Yes | Yes | Works out of the box | | Zero config | Complex setup | Yes | Yes | Works out of the box |
| Self-sovereign DNS | No | No | No | pkarr/DHT roadmap | | Self-sovereign DNS | No | No | No | pkarr/DHT roadmap |
@@ -225,7 +227,7 @@ Zero external DNS libraries. RFC 1035 wire protocol parsed by hand. Dependencies
- [x] Ad blocking — 385K+ domains, dashboard, allowlist - [x] Ad blocking — 385K+ domains, dashboard, allowlist
- [x] System DNS auto-discovery — Tailscale, VPN split-DNS - [x] System DNS auto-discovery — Tailscale, VPN split-DNS
- [x] System DNS auto-configuration — `numa install` / `numa uninstall` - [x] System DNS auto-configuration — `numa install` / `numa uninstall`
- [x] Local service proxy — `.numa` domains with HTTP reverse proxy + WebSocket support - [x] Local service proxy — `.numa` domains with HTTP/HTTPS reverse proxy, auto TLS, WebSocket
- [ ] pkarr integration — self-sovereign DNS via Mainline DHT - [ ] pkarr integration — self-sovereign DNS via Mainline DHT
- [ ] Decentralized resolver network — staking, auditing, token economics - [ ] Decentralized resolver network — staking, auditing, token economics

31
src/system_dns.rs
View File

@@ -820,14 +820,35 @@ fn untrust_ca() -> Result<(), String> {
#[cfg(target_os = "macos")] #[cfg(target_os = "macos")]
{ {
if ca_path.exists() { // Find all Numa CA certs by hash and delete each one
if let Ok(out) = std::process::Command::new("security")
.args([
"find-certificate",
"-c",
"Numa Local CA",
"-a",
"-Z",
"/Library/Keychains/System.keychain",
])
.output()
{
let stdout = String::from_utf8_lossy(&out.stdout);
for line in stdout.lines() {
if let Some(hash) = line.strip_prefix("SHA-1 hash: ") {
let hash = hash.trim();
let _ = std::process::Command::new("security") let _ = std::process::Command::new("security")
.args(["remove-trusted-cert", "-d"]) .args([
.arg(&ca_path) "delete-certificate",
.status(); "-Z",
eprintln!(" Removed Numa CA from system keychain"); hash,
"/Library/Keychains/System.keychain",
])
.output();
} }
} }
}
eprintln!(" Removed Numa CA from system keychain");
}
#[cfg(target_os = "linux")] #[cfg(target_os = "linux")]
{ {