{"id":2055,"date":"2024-03-18T18:56:39","date_gmt":"2024-03-18T13:26:39","guid":{"rendered":"https:\/\/judepereira.com\/blog\/?p=2055"},"modified":"2024-03-18T19:00:44","modified_gmt":"2024-03-18T13:30:44","slug":"colima-cloudflare-zero-trust-on-apple-silicon","status":"publish","type":"post","link":"https:\/\/judepereira.com\/blog\/colima-cloudflare-zero-trust-on-apple-silicon\/","title":{"rendered":"Colima & Cloudflare Zero Trust on Apple Silicon"},"content":{"rendered":"\n

Install Colima<\/a> via Homebrew<\/a>:<\/p>\n\n\n\n

$ brew install colima\n$ colima start<\/code><\/pre>\n\n\n\n
Add the Cloudflare Certificate<\/h2>\n\n\n\n
<\/p>\n\n\n\n
Get inside the VM that Colima spawns:<\/p>\n\n\n\n
<\/p>\n\n\n\n
$ colima ssh\njude@colima:\/Users\/Jude$ <\u2014 make sure that your prompt changes<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Download the Cloudflare Zero Trust certificate<\/a>:<\/p>\n\n\n\n
<\/p>\n\n\n\n
$ sudo curl -k https:\/\/developers.cloudflare.com\/cloudflare-one\/static\/Cloudflare_CA.pem --output \/usr\/share\/ca-certificates\/cloudflare.crt\n$ sudo dpkg-reconfigure ca-certificates<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
In the terminal UI that shows up, press enter until the \u201cMore\u201d prompt goes away, then ensure that cloudflare.crt<\/code> is listed in that list. Once verified, trust all the certificates by giving in a range, such as 1-138 as was in my case (tip: the last entry in that list says \u201ctrust none\u201c, so don\u2019t select that in your range). Hit enter.<\/p>\n\n\n\n
<\/p>\n\n\n\n
A successful output looks akin to this one:<\/p>\n\n\n\n
<\/p>\n\n\n\n
Updating certificates in \/etc\/ssl\/certs...\n1 added, 0 removed; done.\nProcessing triggers for ca-certificates (20230311ubuntu1) ...\nUpdating certificates in \/etc\/ssl\/certs...\n0 added, 0 removed; done.\nRunning hooks in \/etc\/ca-certificates\/update.d...\ndone.<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
Test<\/h2>\n\n\n\n
<\/p>\n\n\n\n
Test the newly installed certificate:<\/p>\n\n\n\n
$ curl -v https:\/\/judepereira.com
* processing: https:\/\/judepereira.com
...
* Server certificate:
*  subject: CN=judepereira.com
*  start date: Mar 12 08:06:00 2024 GMT
*  expire date: Jun 30 12:27:01 2024 GMT
*  subjectAltName: host \"judepereira.com\" matched cert's \"judepereira.com\"
*  issuer: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; OU=Gateway Intermediate ECC Certificate Authority
*  SSL certificate verify ok.
...<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Lastly, restart Colima:<\/p>\n\n\n\n
$ colima restart<\/code><\/pre>\n\n\n\n
You’re done!<\/p>\n","protected":false},"excerpt":{"rendered":"
Install Colima via Homebrew: Add the Cloudflare Certificate Get inside the VM that Colima spawns: Download the Cloudflare Zero Trust certificate: In the terminal UI that shows up, press enter until the \u201cMore\u201d prompt goes away, then ensure that cloudflare.crt is listed in that list. Once verified, trust all the certificates by giving in a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[12],"tags":[673,705,707],"class_list":["post-2055","post","type-post","status-publish","format-standard","hentry","category-misc","tag-cloudflare","tag-colima","tag-docker"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pqtyx-x9","jetpack-related-posts":[{"id":1969,"url":"https:\/\/judepereira.com\/blog\/cloudflare-zero-trust-gateway-and-net-neutrality\/","url_meta":{"origin":2055,"position":0},"title":"Cloudflare Zero Trust Gateway and Net Neutrality","author":"Jude Pereira","date":"April 5, 2023","format":false,"excerpt":"Is Cloudflare ruining the entire concept of a distributed internet? Is it on a path to violate Net Neutrality? What can you do to prevent this?","rel":"","context":"In "miscellaneous"","block_context":{"text":"miscellaneous","link":"https:\/\/judepereira.com\/blog\/category\/misc\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2023-04-04-at-20.01.01.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2023-04-04-at-20.01.01.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2023-04-04-at-20.01.01.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2023-04-04-at-20.01.01.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2023-04-04-at-20.01.01.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2023-04-04-at-20.01.01.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":1950,"url":"https:\/\/judepereira.com\/blog\/getting-the-aws-cli-to-accept-cloudflare-warps-root-certificate\/","url_meta":{"origin":2055,"position":1},"title":"Getting the AWS CLI to accept Cloudflare WARP’s root certificate","author":"Jude Pereira","date":"August 11, 2021","format":false,"excerpt":"Download, convert, and install the Cloudflare WARP root certificate into your local set of trusted root CAs, and then tell the AWS CLI to use it.","rel":"","context":"In "miscellaneous"","block_context":{"text":"miscellaneous","link":"https:\/\/judepereira.com\/blog\/category\/misc\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2021-08-11-at-17.27.10.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2021-08-11-at-17.27.10.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2021-08-11-at-17.27.10.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2021-08-11-at-17.27.10.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":1685,"url":"https:\/\/judepereira.com\/blog\/compile-less-on-the-fly-for-your-exploded-war-in-intellij\/","url_meta":{"origin":2055,"position":2},"title":"Compile LESS on the fly for your exploded WAR in IntelliJ","author":"Jude Pereira","date":"February 5, 2016","format":false,"excerpt":"At CleverTap, we've recently started using LESS for dynamic CSS. While it has it's upsides, the biggest downside\u00a0was that most of our developers couldn't use the hot deploy feature for their local deployments. After an hour or so, we came up with a neat solution. \u00a0 There are two parts\u2026","rel":"","context":"In "another snippet | code"","block_context":{"text":"another snippet | code","link":"https:\/\/judepereira.com\/blog\/category\/code\/"},"img":{"alt_text":"External Tool configuration for compiling LESS files before deployment","src":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screen-Shot-2016-02-05-at-01.32.45-1024x494.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screen-Shot-2016-02-05-at-01.32.45-1024x494.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screen-Shot-2016-02-05-at-01.32.45-1024x494.png?resize=525%2C300 1.5x"},"classes":[]},{"id":1855,"url":"https:\/\/judepereira.com\/blog\/nginx-ingress-helm-k8s-rbac\/","url_meta":{"origin":2055,"position":3},"title":"Installing the Nginx Ingress Controller via Helm to a K8s cluster with RBAC enabled","author":"Jude Pereira","date":"October 1, 2018","format":false,"excerpt":"A lot of posts describe how to do this, but are fairly outdated, and do not mention the last supported K8s version. Here's a tried and tested way to do so via Helm. This has been tested on GKE, with the Kubernetes master version\u00a01.9.7-gke.6: Create the service account for Tiller\u2026","rel":"","context":"In "another snippet | code"","block_context":{"text":"another snippet | code","link":"https:\/\/judepereira.com\/blog\/category\/code\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2126,"url":"https:\/\/judepereira.com\/blog\/upgrading-to-debian-bookworm-on-qnap-ts-112-also-ts-11x-ts-12x\/","url_meta":{"origin":2055,"position":4},"title":"Upgrading to Debian Bookworm on QNAP TS-112 (also TS-11x\/TS-12x)","author":"Jude Pereira","date":"October 16, 2024","format":false,"excerpt":"I decided to host Minio on a QNAP TS-112 device, bought from a second hand store. Here's a tale of me ditching the QNAP OS in favour of Debian Bookworm.","rel":"","context":"In "gnu linux"","block_context":{"text":"gnu linux","link":"https:\/\/judepereira.com\/blog\/category\/linux\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1830,"url":"https:\/\/judepereira.com\/blog\/ios-mac-ipsec\/","url_meta":{"origin":2055,"position":5},"title":"How to tunnel all traffic from your iOS device to your own server via IPSec","author":"Jude Pereira","date":"May 11, 2018","format":false,"excerpt":"TL;DR: A DigitalOcean droplet, strongSwan, and a custom Configuration Profile for iOS routes all the traffic from my iPhone via my droplet. Why? Just because I can. Note: This setup does not require you to download Apple Configurator and switch your iPhone into Supervised mode (we will create a configuration\u2026","rel":"","context":"In "gnu linux"","block_context":{"text":"gnu linux","link":"https:\/\/judepereira.com\/blog\/category\/linux\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screen-Shot-2018-05-10-at-20.34.32-1024x134.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screen-Shot-2018-05-10-at-20.34.32-1024x134.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screen-Shot-2018-05-10-at-20.34.32-1024x134.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/posts\/2055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/comments?post=2055"}],"version-history":[{"count":10,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/posts\/2055\/revisions"}],"predecessor-version":[{"id":2088,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/posts\/2055\/revisions\/2088"}],"wp:attachment":[{"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/media?parent=2055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/categories?post=2055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/tags?post=2055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}