For testing .local domains using SSL we can't use letsencrypt & certbot as explained here. (where did that link go)
Instead we need to create our own self-signed certificates and get the local machine to trust them. Chrome is extra strict and whinges about pretty much everything, and I couldn't get it to trust a self-signed wildcard CN cert. So here's what I did to get it working locally on OSX with a happy chrome:
First create an openssl.cnf
file:
[req]
prompt = no
distinguished_name = req_distinguished_name