moodeaudio.org > Moode Forum moOde audio player Feature requests v
[PROBLEM] Web UI via HTTPS

Thank you for your donation!


Cloudsmith graciously provides open-source package management and distribution for our project.


Thread Modes
Problem: Web UI via HTTPS
ubergoober Offline
Junior Member
*
Posts: 25
Threads: 3
Joined: Dec 2023
Reputation: 0
#9
12-30-2023, 10:17 PM (This post was last modified: 12-30-2023, 10:19 PM by ubergoober.)
(12-30-2023, 09:55 PM)Tim Curtis Wrote: I think Lets Encrypt is for Internet hosts and not local hosts like moOde. AFAIK for local hosts a self-signed cert needs to be used and then added to the OS Trust Store since there is no root CA for self-signed certs.

One challenge for moOde HTTPS is that the user chooses the host name (domain name) for a given moOde host and its this domain name that is assigned to the Common Name attribute when the cert is created, thus each moOde host needs its own unique  cert.

For example the self-signed cert attributes associated with domain name. The IP address is for Access Point (AP) mode.

Code:
# Common Name
commonName  = $HOSTNAME.local

# Subject Alternative Names
DNS.1       = $HOSTNAME.local
DNS.2       = $HOSTNAME
IP.1        = 172.24.1.1

The solution I was referring to in my previous post automates cert creation and installation into NGINX. The second part involving adding the cert to the OS Trust Store is a manual process.

After it's shipped with upcoming 8.3.8 release have a look and see if there is a way to improve it or if needed replace it with something better :-)

I'm happy to give it a look.  There are ways to work around the public/private context.  For instance, as in the previously mentioned Home Assistant use case, they employ Duck DNS in order to obtain a public FQDN for the application.  This is free and can be useful in so many other ways, especially if you're into self hosting or running a home lab.  A cert is a cert whether it's an internet host or private.  it's either trusted or not.

This public FQDN is used during the enrollment process for the Let's encrypt certificate.  Let's encrypt does a check to determine the FQDN resolves and gets an http response. In the case where the host is not actually publicly accessible, they have a workaround that requires a few more steps with your DNS provider, or you can temporarily port forward to your internal host.  I'm not certain whether or not the port needs to remain open to renew a certificate.

I think loading the cert into the browser/OS trust store will be less work for users overall.  Most browsers will only trust a cert for about a year and some will not honor it if it's expiration date extends past a certain number of days. Let's Encrypt issues theirs for only 90 days to work well within these limits.  The downside of giving us encryption is how many forum messages will be appearing a year later   Big Grin.
Find
Reply


Messages In This Thread
Web UI via HTTPS - by bm401 - 10-07-2022, 01:25 PM
RE: Web UI via HTTPS - by Tim Curtis - 10-07-2022, 02:08 PM
RE: Web UI via HTTPS - by bm401 - 10-07-2022, 02:37 PM
RE: Web UI via HTTPS - by ubergoober - 12-28-2023, 02:14 AM
RE: Web UI via HTTPS - by Tim Curtis - 12-28-2023, 12:52 PM
RE: Web UI via HTTPS - by Tim Curtis - 12-28-2023, 11:57 PM
RE: Web UI via HTTPS - by ubergoober - 12-30-2023, 09:08 PM
RE: Web UI via HTTPS - by Tim Curtis - 12-30-2023, 09:55 PM
RE: Web UI via HTTPS - by ubergoober - 12-30-2023, 10:17 PM
RE: Web UI via HTTPS - by bump_here - 12-31-2023, 06:04 PM
RE: Web UI via HTTPS - by lifeform - 06-10-2024, 12:27 PM
RE: Web UI via HTTPS - by bump_here - 06-15-2024, 03:40 PM
RE: Web UI via HTTPS - by bump_here - 06-18-2024, 08:59 PM

Forum Jump: