[Proxmox] - add wildcard certificate on nginx for entire domain #523
Labels
No Label
administration
Akkoma
Android
Bare metal
bug
Communication
Community
Cryptpad
Discussion
Documentation
duplicate
enhancement
etherpad
Feature request
Feedback
finances
Fixed
forgejo
fun_project
Goal 2024
help wanted
Howto
🤔️ Investigate
ios
jitsi
lacre
Lacre Test
ldap
Lemmy
LibreTranslate
low prio
Lufi
macos
Mail
Merch
monitoring
movim
needs_refine
New Auth
Nextcloud
nice to have
on hold
proposal
question
Ready
refined
Roundcube
searX
spam-protection
Staging Server
Themes
TOR
Urgent!
Website
windows
wontfix
xmpp
Yearly Report
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Disroot/Disroot-Project#523
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
When we deploy services locally with selfsigned certs, we have the message "Warning: probable security risk" when trying to open the service page with webbrowser. It works fine if we accept the risk, but that would be nice to avoid those messages.
@meaz you just need to trust cert you created on your local machine.
What we should add though is possibility to add wildcard certificate on nginx for entire domain so that once you trust it all vhosts should work.
yes that would be useful.
[Proxmox] - Avoid Warning: probable security risk message with selfsigned certto [Proxmox] - add wildcard certificate on nginx for entire domainIs that enough to do:
(new part is
common_name: '{{ item.wildcard| default(omit) }}'
)where
{{ item.wildcard }}
could be*.local_machine_name
, when neededI've started to work on this, see Disroot-Ansible/nginx#57
Cool. I will re-test it but looks fine.
I added some changes to the role as well as I pushed documentation on how to do it on your local laptop to add the cert to be system wide trusted. I didnt manage to get firefox to work with it as it seems to use its own set of certs (it should use p11-kit stuff but dunno and I got too annoyed with it). It does work with chromium so you can use it for testing the services you run on local machine (thats what I started doing). If you find the way to do it, just update docs.
I have created issue for next milestone #749 to add proper cert distribution for services like prosody and mumble to not have to do it manually. So it should be possible to deploy it without manual intervention on pulga but also on the local dev machines.
I consider this finished then.
it is working indeed with chromium. I'm just having issue with sandbox (cryptpad). Cryptpad is ok, just the sandbox. Do you have this too?