Posts: 14,140
Threads: 323
Joined: Mar 2018
Reputation:
578
(03-02-2025, 08:28 PM)TheOldPresbyope Wrote: [Arrgh. Don't try to test when you're in the midst of doing three other things at the same time.]
Turns out I did complete the first 5 steps before I was called away. When I came back later, I thought I saw the cert listed in step 6 but didn't see any slider. Went back to steps 3-4 and now couldn't install the cert (note to self: because it was already installed, dummy!).
By then I was thoroughly confused so, instead of taking time out to make a cup of coffee and get some cat therapy, I posted and then back-edited my clumsy post.
I've now tried this procedure with both my iPad and an Apple iPhone SE (iOS 18.3). On both, I've apparently installed the cert but without an entry or a slider in step 6 I can't trust it per step 7.
From the iPhone SE, here's what I now see under General>VPN & Device Management
and under General>About>Security Trust Settings
Not sure what I'm doing wrong.
Regards,
Kent
A mystery.
Maybe Step 3? It can be a bit confusing because in addition to the cert icon and text next to it there is also a download button which will just download the cert file and not the "profile" (I think)
3. Click the Cert icon to download the "Profile"
Posts: 6,275
Threads: 186
Joined: Apr 2018
Reputation:
251
03-02-2025, 10:01 PM
(This post was last modified: 03-02-2025, 10:10 PM by TheOldPresbyope.
Edit Reason: ETA - observation about DNS/mDNS
)
Don't think I did that but just to be sure I deleted the profile (in VPN & Device Management) and purposefully downloaded the attachment instead of clicking on the cert icon. Now there's no certificate listed in VPN & Device Management for me to install.
Bottom line: I think I followed the procedure correctly and failed.
ETA: I don't see how this would matter since my player's mDNS name is stated in the cert, but unlike most of the moOde users, I do not have a local DNS resolver on my LAN (thanks, Verizon) so I depend on mDNS. Just thouht I'd better throw that out.
I'm stumped but I'm out of time today.
Regards,
Kent
Posts: 2,025
Threads: 45
Joined: Mar 2020
Reputation:
96
03-03-2025, 08:15 AM
(This post was last modified: 03-03-2025, 08:16 AM by the_bertrum.)
(03-02-2025, 06:13 PM)TheOldPresbyope Wrote: First, a quibble. The manual generation of a ca-certificate is mentioned but the procedure isn't spelled out. Should there be some sort of "out of scope of this document" statement as I recall one of Robert's documents saying? In the new and improved system Tim is developing, the auto generated certificate is also a CA, so no need to do the complicated CA setup I used elsewhere (but it's a fun thing to do anyway).
(03-02-2025, 06:13 PM)TheOldPresbyope Wrote: Second, for my Google Pixel 6a phone (Android 15), the steps described fall down at the point in step 7 where I select the ca-certificate from the Downloads. I never get to choose "Install". Instead, I get a message saying something like "private key required to install a certificate". It disappears quickly, leaving me back at the "Install a certificate" screen. Perhaps I'm missing something obvious? That suggests that you are using the original automatic certificate rather then the new procedure that Tim developed. I expect it can be "gulped", but it's also just a trivial one word change to a file if you want to do it manually.
ETA: Thanks for testing it though Kent. Needs your rigour to catch any of my enthusiastic over simplifications.
----------------
Robert
Posts: 14,140
Threads: 323
Joined: Mar 2018
Reputation:
578
Yes I think Kent might have the original /var/www/util/get-cert.sh file that has CA:FALSE in the cert template.
Posts: 6,275
Threads: 186
Joined: Apr 2018
Reputation:
251
@ Tim Curtis
@ the_bertrum
What's the probability that, if I have two identical moOde players on my desk, one stock 9.2.5 and the other gulp'ed to yesterday's github distro, I would do all this testing on the stock (e.g., wrong) player.
Should be 0%, right, or 50% if I were choosing players randomly. Nope, for this Homer Simpson look-alike, the probability was 100%.
If I were in a car, I'd be convicted of distracted driving.
Maybe tomorrow I can get back to being your crash test dummy.
Regards,
Kent
Posts: 6,275
Threads: 186
Joined: Apr 2018
Reputation:
251
@ Tim Curtis
@ the_bertrum
Ok, new day, new me (well, no, the old me).
moOde 9.2.5. Gulped from repo as of two days ago. Followed the guide to enable HTTPS, transfer the cert to various devices, and install it in their cert stores.
- I can now access https://moode.local using Safari, Firefox, Firefox Focus, Opera browsers on my iPad and iPhone SE (both at OS version 18.3.1 now).
- I can now access https://moode.local using Firefox and Chrome browsers on my Linux Mint laptop (it takes several steps to get the CA certificate into their cert store; more later).
- I am still having issues with my Google Pixel 6a, The CA cert installs but my browsers won't open or even acknowledge the existence of the site whether I enter the mDNS address or the IP address. Will have to diagnose later.
Regards,
Kent
Posts: 6,275
Threads: 186
Joined: Apr 2018
Reputation:
251
@ Tim Curtis
@ the_bertrum
As of yesterday, the working doc doesn't address Linux. Here's what worked for me.
1. Download the .cer file from moOde into my Linux Mint system. Let's say it's moode.local.cer
2. convert the .cer file to a .crt file (see note 1)
Code: openssl x509 -inform DER -outform PEM -in ./moode.local.cer -out ./moode.local.crt
3. Copy the .crt file to the local staging directory used by update-ca-certificates
Code: sudo cp moode.local.crt /usr/local/share/ca-certificates/
4. Update Linux Mint's certificate store
Code: sudo update-ca-certificates
All done. Various browsers prolly still flag the first attempt to access https://moode.local as unsafe but once you're indicated you're ok with it as an exception, they accept any future attempts.
Note 1: A .cer file is different from a .pem file but AIUI a .pem file and a .crt file are essentially the same functionally. Weirdly, update-ca-certificates processes only those ca-certificate files in /usr/local/share/ca-certificates with a .crt extension (and leaves .pem files in the store. Yikes!)
Note 2: My steps 2 and 3 could be combined but I kept them separate for clarity.
Note 3. It seems to me the procedure to follow after changing the hostname could also be use as a way to download the ca-certificate in .pem form directly from the browser. Thus, my step 1 would be skipped, my step 2 would reduce to just copying the file to the staging directory whilst changing its extension to .crt. Caveat: I haven't tested this yet.
Note 4. I tested this in Linux Mint but it should work in debian or any debian-based distro. The procedure is a tad different in RedHat (consult the InterWeb™) but I don't have a installation to test wth.
Note 5. Like @ the_bertrum, I quite like the idea of setting up a separate local CA on my LAN since I'm constantly standing up various moOde players in testing.
Regards,
Kent
Posts: 14,140
Threads: 323
Joined: Mar 2018
Reputation:
578
(03-05-2025, 01:24 AM)TheOldPresbyope Wrote: @Tim Curtis
@the_bertrum
As of yesterday, the working doc doesn't address Linux. Here's what worked for me.
1. Download the .cer file from moOde into my Linux Mint system. Let's say it's moode.local.cer
2. convert the .cer file to a .crt file (see note 1)
Code: openssl x509 -inform DER -outform PEM -in ./moode.local.cer -out ./moode.local.crt
3. Copy the .crt file to the local staging directory used by update-ca-certificates
Code: sudo cp moode.local.crt /usr/local/share/ca-certificates/
4. Update Linux Mint's certificate store
Code: sudo update-ca-certificates
All done. Various browsers prolly still flag the first attempt to access https://moode.local as unsafe but once you're indicated you're ok with it as an exception, they accept any future attempts.
Note 1: A .cer file is different from a .pem file but AIUI a .pem file and a .crt file are essentially the same functionally. Weirdly, update-ca-certificates processes only those ca-certificate files in /usr/local/share/ca-certificates with a .crt extension (and leaves .pem files in the store. Yikes!)
Note 2: My steps 2 and 3 could be combined but I kept them separate for clarity.
Note 3. It seems to me the procedure to follow after changing the hostname could also be use as a way to download the ca-certificate in .pem form directly from the browser. Thus, my step 1 would be skipped, my step 2 would reduce to just copying the file to the staging directory whilst changing its extension to .crt. Caveat: I haven't tested this yet.
Note 4. I tested this in Linux Mint but it should work in debian or any debian-based distro. The procedure is a tad different in RedHat (consult the InterWeb™) but I don't have a installation to test wth.
Note 5. Like @the_bertrum, I quite like the idea of setting up a separate local CA on my LAN since I'm constantly standing up various moOde players in testing.
Regards,
Kent
I'll update the doc, thx :-)
Posts: 2,025
Threads: 45
Joined: Mar 2020
Reputation:
96
There were Linux instructions in my linked doc, but they dealt with a pem rather than a cer, other than that, they matched what you detailed Kent, so all good there.
A handy command for verifying it worked:
Code: awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep <whatever the cert was called>
As for the Android phone issue, I have this recorded in my document:
Firefox Android
- Open the Firefox browser on your phone, and from the three dot menu, choose "about".
- Tap the firefox logo five times to enable the "debug menu", then tap the back arrow and scroll down the "secret settings".
- In there you will find a toggle for "trust third party CAs" which you should enable.
Not sure if that is relevant in this case though since it seems to be not just (or even) Firefox in your case. I'm flashing a vanilla image with no "legacy" certificate baggage to try it out again on my Pixel 6.
----------------
Robert
Posts: 6,275
Threads: 186
Joined: Apr 2018
Reputation:
251
(03-05-2025, 01:56 PM)the_bertrum Wrote: There were Linux instructions in my linked doc, but they dealt with a pem rather than a cer, other than that, they matched what you detailed Kent, so all good there.
A handy command for verifying it worked:
Code: awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep <whatever the cert was called>
1. Since moOde downloads a .cer file, that's what I went with.
2. Good verification script. I just trusted update-ca-certificates to do what it's supposed to
Quote:As for the Android phone issue, I have this recorded in my document:
Firefox Android
- Open the Firefox browser on your phone, and from the three dot menu, choose "about".
- Tap the firefox logo five times to enable the "debug menu", then tap the back arrow and scroll down the "secret settings".
- In there you will find a toggle for "trust third party CAs" which you should enable.
Not sure if that is relevant in this case though since it seems to be not just (or even) Firefox in your case. I'm flashing a vanilla image with no "legacy" certificate baggage to try it out again on my Pixel 6.
Yeah, the fancy finger-tapping had been done. Did I mention this problem occurs in both Firefox and Chrome on my phone? I may have to run a remote debugger to figure out how the browsers are trying to reach the player.
As Roseann Rosannadanna would say, "it's always something!"
Regards,
Kent
|
