+- Moode Forum (https://moodeaudio.org/forum)
+-- Forum: moOde audio player (https://moodeaudio.org/forum/forumdisplay.php?fid=3)
+--- Forum: FAQ and Guides (https://moodeaudio.org/forum/forumdisplay.php?fid=9)
+--- Thread: [How to do instruction] Set up a CA and sign your own certificates for moOde in HTTPS mode. (/showthread.php?tid=7189)
Set up a CA and sign your own certificates for moOde in HTTPS mode. - the_bertrum - 12-11-2024
The HTTPS mode in moOde is experimental, so bear that in mind. Also, the Automatic mode works nicely enough, but you may find that you still get warnings about self-signed certificates, or have bother importing them to your devices. I can't get Android to recognise them for example. What I present here is involved and time consuming, but it is also satisfying and I've got HTTPS working on all my players on all my browsers on all my devices.
BACKUP FIRST! You could end up with a player so secure you can't get in. Or more likely one that won't start for some reason. You may need to re-flash and start again.
Don't try this if you are a "cut and paste" king of guy. The commands presented here need reading and understanding so you can adjust them for your system as necessary.
Remember that HTTPS, Certificate Authorities, and browser certificate stores are there to keep you safe on the internet. This tutorial will be adding stuff into that system which is basically you telling your systems to trust you. You should only do that if you trust you, and if you are following this guide without understanding it then you are basically trusting me. I'm a nice guy, but don't trust me. Make sure you understand what is going on here so you know I'm not sneaking in a back door into your network for my own nefarious reasons.
With those warnings out of the way, on with the show.
---Setting up as a Certificate Authority----
Do all this work on your beefiest moOde player. All the tools you need are already on there, and it makes sense to set up your CA on one of the players that will be secured by it.
Let's begin by making somewhere to keep our files so we know where to find them.
Code:
mkdir ~/certs
cd ~/certsNext we use openssl to create a private key that will be used to generate our root certificate. You will be asked for a passphrase to secure this and you can skip it, but don't. Use a passphrase and remember it (store it with your other important passwords). This will mean only people who know the password for your internal moOde CA will be able to generate keys
Code:
openssl genrsa -des3 -out moodeCA.key 2048Code:
master@orpheus:~/certs $ ls -ltr
total 4
-rw------- 1 master master 1854 Dec 7 14:07 moodeCA.keyCode:
openssl req -x509 -new -nodes -key moodeCA.key -sha256 -days 3650 -out moodeCA.pemHere are the entries I put in for mine, feel free to be creative:
Code:
master@orpheus:~/certs $ openssl req -x509 -new -nodes -key moodeCA.key -sha256 -days 3650 -out moodeCA.pem
Enter pass phrase for moodeCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:moOde
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:moodeCA
Email Address []:.That's it, you are your own Certificate Authority. Only problem is no one else knows that yet and so they still don't trust you. Now, you could at this point try to get yourself registered along with all the other root CAs and then automatically be included in all OS and browser lists, but that isn't ever going to happen so don't think about trying. What you can do though is force all the devices in your local network to trust you, and that is in the end all you really want here. How you go about adding your root certificate to your devices varies with OS. Basically, you need to copy the moodeCA.pem file onto the device you want to make trust you, then run a command to add the file to your trusted store. Instructions for the some main OSes are thus:
Your moOde players, plus any other (ubuntu based) Linux machines:
You will be using the ca-certificates software, which is already on your moOde devices, and probably already on your other Linux boxes too, install it if not. Then:
Code:
sudo cp ~/certs/moodeCA.pem /usr/local/share/ca-certificates/moodeCA.crtNote we use sudo and that we have renamed the .pem to .crt. Then updating the root CA store with this command:
Code:
sudo update-ca-certificatesAnd finally check it there safely with this command (takes a second or two to run)
Code:
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep moodeCAOpen settings, and go to the Privacy and Security section. Scroll to "Certificates" and press the View Certificates button. Select the Authorities tab and press Import. Select your moodeCA.pem file press open, select "Use for validating websites" and press OK.
In Chromium (and presumably its derivatives):
Settings/Privacy and Security/Security/Manage Certificates - Authorities tab, import, moodeCA.pem, use for websites.
Windows10/11, copy the moodeCA.pem to somewhere handy on the machine then:
Open the “Microsoft Management Console” by using the Windows + R keyboard combination, typing mmc and clicking Open
Go to File > Add/Remove Snap-in
Click Certificates and Add
Select Computer Account and click Next
Select Local Computer then click Finish
Click OK to go back to the MMC window
Double-click Certificates (local computer) to expand the view
Select Trusted Root Certification Authorities, right-click on Certificates in the middle column under “Object Type” and select All Tasks then Import
Click Next then Browse. Change the certificate extension dropdown next to the filename field to All Files (*.*) and locate the myCA.pem file, click Open, then Next
Select Place all certificates in the following store. “Trusted Root Certification Authorities store” is the default. Click Next then click Finish to complete the wizard.
If everything went according to plan, you should see your CA certificate listed under Trusted Root Certification Authorities > Certificates.
MacOS - I don't have any of these myself, but I'm informed that it can be done simply with this command:
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" moodeCA.pem
iOS - not tried yet...
Email the root certificate to yourself and then open it in the default mail app on your iOS device.
Open the attachment, it will prompt you to review the profile in the Settings app.
Open the Settings app and click Profile Downloaded near the top.
Click Install in the top right, and then Install again on the Warning screen.
Once installed, hit Close and go back to the main Settings page.
Go to General > About.
Scroll to the bottom and click on Certificate Trust Settings.
Enable your root certificate under “ENABLE FULL TRUST FOR ROOT CERTIFICATES”.
One final step needed for Firefox browsers on Android (and maybe IOS, I've not checked). Firefox will only trust the default CAs, you ned to ask it to trust "third party" ones, you are a third party in this scenario.
Open the Firefox browser on your phone, and from the three dot menu, choose "about". Tap the firefox logo five times to enable the "debug menu", then tap the back arrow and scroll down the "secret settings". In there you will find a toggle for "trust third party CAs" which you should enable.
Phew - you have done the hardest bit, setting up a CA and getting yourself trusted. Probably now is the time to take a break, rest on your laurels a bit, have some coffee, whatever you fancy. Next step is to sign certificates for all you players then upload them and turn on HTTPS.
---Generating certificates for your players---
So to begin, you need three files for each player, a Private Key that will be used to encrypt the traffic server side, a Certificate Signing Request (CSR) to ask the CA to create a certificate to go with your private key, and a parameter file that defines the extensions you want (EXT).
We create the CSR and the private key using the oppenssl utility with which we are already familiar. The commands look like this:
Private Key:
Code:
openssl genrsa -out moode.local.key 2048Code:
openssl req -new -key moode.local.key -out moode.local.csrThe CSR command will ask the same questions as the CA did, again it doesn't matter what you answer except for the Common Name which should be your player name, so mine looked like this for my "Orpheus" player.
Code:
master@orpheus:~/certs $ openssl req -new -key orpheus.local.key -out orpheus.local.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:moOde
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:orpheus.local
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Notice I didn't provide a password here, that's not as important as the password on your CA is.
Now for the third file, the extentions. Using your favourite editor, create a file in your certs folder called moode.local.ext (substituting your host name for moode as appropriate). Into this file put the following:
Code:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = moode.local
DNS.2 = moode
IP.1 = <IP of your player>
IP.2 = 172.24.1.1The important bits that you need to adjust for your own use are [alt_names]. DNS.1 is <HOSTNAME>.local, DNS.2 is just <HOSTNAME>, IP.1 is the IP address of your player and is only of use if you have a reserved IP in DHCP or a static IP configured, IP.2 is the IP of the player when it is acting as a hotspot. You need here all the names that you will put in the address bar of the browsers that access the player.
Now to take these files and create a certificate from them that is signed by the CA that our network trusts. The openssl utility is once again our tool:
Code:
openssl x509 -req -in moode.local.csr -CA moodeCA.pem -CAkey moodeCA.key -CAcreateserial -out moode.local.crt -days 1825 -sha256 -extfile moode.local.extNow for the final step, getting your certificate and key into the moOde player webserver. Here Tim has done the work for you, so simply download the .crt and .key files for your player onto your workstation, open the moOde interface and open the System Configuration page. In the HTTPS mode section, select Certificate type of "Manual". The interface will reload and give you an UPLOAD button, click this and use the file picker to locate the key and crt files select both and press open. Once again the interface will reload and confirm the names of the files you have uploaded. You will get a warning here if you have not uploaded both. Now press the INSTALL CERTIFICATE button to load these into the internal web server. You will get a "Certificate installed" Info box, and the files will clear from the UPLOAD section. Now you just need to switch on the HTTPS mode switch, wait for the confirmation and reboot. If all is present and correct, you will now be able to connect over https with no errors or warnings in any of your browsers.
Have fun. Questions or corrections welcome.
I largely based this guide on a Deliciousbrains blog and more information about importing certificates into browser stores is available.
RE: Set up a CA and sign your own certificates for moOde in HTTPS mode. - Tim Curtis - 12-11-2024
Fantastic :-)
Will read throughly this weekend.
RE: Set up a CA and sign your own certificates for moOde in HTTPS mode. - bitlab - 12-11-2024
Great write-up :-)
If you get tired of using the command-line and have multiple certifiicates to manager and you have Windows PC I can advise https://www.hohnstaedt.de/xca/ .
And if you want to do it even more fancy, step-ca + step-cli is awesome; it let's you run you own local 'let's encrypt' for a private network.
Including easy install of ca cert into client computers. You can find more info at https://smallstep.com/docs/step-ca/. It will you also encourage to use relative short living certificates, without the administrative nightmare to refresh everything by hand.
RE: Set up a CA and sign your own certificates for moOde in HTTPS mode. - the_bertrum - 12-12-2024
Ooo look, XCA is on Linux too and it's in my Mint repo. Having a play... I'll look at step-ca too later, you'll have noticed my very long lifespans so I don't have to do this too often
RE: Set up a CA and sign your own certificates for moOde in HTTPS mode. - MonoBY - 12-16-2024
(12-11-2024, 07:31 PM)the_bertrum Wrote: [...]
Now for the third file, the extentions. Using your favourite editor, create a file in your certs folder called moode.local.ext (substituting your host name for moode as appropriate). Into this file put the following:
Code:authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = moode.local
DNS.2 = moode
IP.1 = <IP of your player>
IP.2 = 127.24.1.1
The important bits that you need to adjust for your own use are [alt_names]. DNS.1 is <HOSTNAME>.local, DNS.2 is just <HOSTNAME>, IP.1 is the IP address of your player and is only of use if you have a reserved IP in DHCP or a static IP configured, IP.2 is the IP of the player when it is acting as a hotspot. You need here all the names that you will put in the address bar of the browsers that access the player.
[...]
I think the hotspot IP should be:
Code:
IP.2 = 172.24.1.1RE: Set up a CA and sign your own certificates for moOde in HTTPS mode. - the_bertrum - 12-16-2024
(12-16-2024, 12:55 PM)MonoBY Wrote:(12-11-2024, 07:31 PM)the_bertrum Wrote: [...]
Now for the third file, the extentions. Using your favourite editor, create a file in your certs folder called moode.local.ext (substituting your host name for moode as appropriate). Into this file put the following:
Code:authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = moode.local
DNS.2 = moode
IP.1 = <IP of your player>
IP.2 = 127.24.1.1
The important bits that you need to adjust for your own use are [alt_names]. DNS.1 is <HOSTNAME>.local, DNS.2 is just <HOSTNAME>, IP.1 is the IP address of your player and is only of use if you have a reserved IP in DHCP or a static IP configured, IP.2 is the IP of the player when it is acting as a hotspot. You need here all the names that you will put in the address bar of the browsers that access the player.
[...]
I think the hotspot IP should be:
Code:IP.2 = 172.24.1.1
Quite right! Fixed, thank you.