Disroot/Disroot-Project
Disroot
/
Disroot-Project
16
31
Fork 0
Code Issues 130 Pull Requests Projects 7 Releases Activity

[Proxmox] - add wildcard certificate on nginx for entire domain #523

New Issue
Closed
opened 2023-05-06 23:27:19 +02:00 by meaz · 7 comments
meaz commented 2023-05-06 23:27:19 +02:00
Owner
Copy Link

When we deploy services locally with selfsigned certs, we have the message "Warning: probable security risk" when trying to open the service page with webbrowser. It works fine if we accept the risk, but that would be nice to avoid those messages.

When we deploy services locally with selfsigned certs, we have the message "Warning: probable security risk" when trying to open the service page with webbrowser. It works fine if we accept the risk, but that would be nice to avoid those messages.
muppeth commented 2023-05-10 21:56:44 +02:00
Owner
Copy Link

@meaz you just need to trust cert you created on your local machine.
What we should add though is possibility to add wildcard certificate on nginx for entire domain so that once you trust it all vhosts should work.

@meaz you just need to trust cert you created on your local machine. What we should add though is possibility to add wildcard certificate on nginx for entire domain so that once you trust it all vhosts should work.
meaz commented 2023-05-10 22:23:56 +02:00
Author
Owner
Copy Link

yes that would be useful.

yes that would be useful.
meaz changed title from [Proxmox] - Avoid Warning: probable security risk message with selfsigned cert to [Proxmox] - add wildcard certificate on nginx for entire domain 2023-06-07 15:31:56 +02:00
meaz commented 2023-07-29 11:46:20 +02:00
Author
Owner
Copy Link

Is that enough to do:

- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR)'
  openssl_csr:
    path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
    privatekey_path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
    common_name: '{{ item.wildcard| default(omit) }}'
  with_items: "{{ nginx_vhosts }}"
  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
  notify: reload nginx

(new part is common_name: '{{ item.wildcard| default(omit) }}')

where {{ item.wildcard }} could be *.local_machine_name, when needed

Is that enough to do: ``` - name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR)' openssl_csr: path: '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs' privatekey_path: '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem' common_name: '{{ item.wildcard| default(omit) }}' with_items: "{{ nginx_vhosts }}" when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' notify: reload nginx ``` (new part is `common_name: '{{ item.wildcard| default(omit) }}'`) where `{{ item.wildcard }}` could be `*.local_machine_name`, when needed
meaz commented 2023-11-26 12:21:57 +01:00
Author
Owner
Copy Link

I've started to work on this, see Disroot-Ansible/nginx#57

I've started to work on this, see https://git.disroot.org/Disroot-Ansible/nginx/pulls/57
muppeth commented 2023-11-29 23:45:56 +01:00
Owner
Copy Link

Cool. I will re-test it but looks fine.

Cool. I will re-test it but looks fine.
muppeth added this to the 23.11 - November milestone 2023-11-29 23:46:01 +01:00
meaz modified the milestone from 23.11 - November to 23.12 - December 2023-12-03 15:18:59 +01:00
muppeth commented 2024-01-06 00:30:13 +01:00
Owner
Copy Link

I added some changes to the role as well as I pushed documentation on how to do it on your local laptop to add the cert to be system wide trusted. I didnt manage to get firefox to work with it as it seems to use its own set of certs (it should use p11-kit stuff but dunno and I got too annoyed with it). It does work with chromium so you can use it for testing the services you run on local machine (thats what I started doing). If you find the way to do it, just update docs.
I have created issue for next milestone #749 to add proper cert distribution for services like prosody and mumble to not have to do it manually. So it should be possible to deploy it without manual intervention on pulga but also on the local dev machines.

I consider this finished then.

I added some changes to the role as well as I pushed documentation on how to do it on your local laptop to add the cert to be system wide trusted. I didnt manage to get firefox to work with it as it seems to use its own set of certs (it should use p11-kit stuff but dunno and I got too annoyed with it). It does work with chromium so you can use it for testing the services you run on local machine (thats what I started doing). If you find the way to do it, just update docs. I have created issue for next milestone #749 to add proper cert distribution for services like prosody and mumble to not have to do it manually. So it should be possible to deploy it without manual intervention on pulga but also on the local dev machines. I consider this finished then.
meaz commented 2024-01-07 13:42:40 +01:00
Author
Owner
Copy Link

it is working indeed with chromium. I'm just having issue with sandbox (cryptpad). Cryptpad is ok, just the sandbox. Do you have this too?

it is working indeed with chromium. I'm just having issue with sandbox (cryptpad). Cryptpad is ok, just the sandbox. Do you have this too?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
Labels
Clear labels   
administration

   
Akkoma

Pleroma related issues

  
Android

Issues related to Android platform

  
Bare metal

Everything related to phisical servers

  
bug

Something is not working

  
Communication

Disroot's communications

  
Community

Community related

  
Cryptpad

Cryptpad related issues

  
Discussion

   
Documentation

   
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
etherpad

   
Feature request

   
Feedback

Users' comments, ideas and suggestions

  
finances

   
Fixed

   
forgejo

   
fun_project

   
Goal 2024

   
help wanted

Need some help

  
Howto

Howto's related

  
🤔️ Investigate

   
ios

   
jitsi

   
lacre

   
Lacre Test

   
ldap

   
Lemmy

   
LibreTranslate

   
low prio

   
Lufi

Lufi service related

  
macos

   
Mail

   
Merch

   
monitoring

   
movim

Movim related

  
needs_refine

   
New Auth

   
Nextcloud

Nextcloud related issues

  
nice to have

   
on hold

   
proposal

   
question

More information is needed

  
Ready

   
refined

   
Roundcube

Roundcube related

  
searX

   
spam-protection

   
Staging Server

Regarding staging server

  
Themes

   
TOR

   
Urgent!

   
Website

   
windows

   
wontfix

This won't be fixed

  
xmpp

   
Yearly Report

Disroot yearly report

No Label
administration
Akkoma
Android
Bare metal
bug
Communication
Community
Cryptpad
Discussion
Documentation
duplicate
enhancement
etherpad
Feature request
Feedback
finances
Fixed
forgejo
fun_project
Goal 2024
help wanted
Howto
🤔️ Investigate
ios
jitsi
lacre
Lacre Test
ldap
Lemmy
LibreTranslate
low prio
Lufi
macos
Mail
Merch
monitoring
movim
needs_refine
New Auth
Nextcloud
nice to have
on hold
proposal
question
Ready
refined
Roundcube
searX
spam-protection
Staging Server
Themes
TOR
Urgent!
Website
windows
wontfix
xmpp
Yearly Report
Milestone
Clear milestone
No items
No Milestone
23.12 - December
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Disroot/Disroot-Project#523
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?