02-20-2024, 06:07 AM
(02-19-2024, 12:44 PM)Tim Curtis Wrote:(02-18-2024, 11:28 PM)ubergoober Wrote: Since the Moode player is not a certificate authority, it should not pretend to be. It should have an identity certificate signed by a known and trusted CA. Anybody operating strictly within their own private home network should not care.
If you are going to the trouble of exposing it to the internet, then there isn't any reason you could not use an ACME client script to get a free cert from LetsEncrypt. If you don't want your player exposed full time, you can tell your router that the ip address of the player is the DMZ host allowing full access while you generate or renew your cert.
The Letsencrypt CA cert is already included in windows, linux, ios and android. Wrapping a script around the acme client should allow you to place the ID cert in the correct place and use it for the REST API.
The HTTPS mode feature is for local network only and not for connecting a moOde host directly to the Internet which has never been supported because it's insecure in many ways other than whether or not HTTPS is used.
To run HTTPS on a local network you either have to generate self-signed certs or run a local Certificate Authority (CA) to generate and sign certs with its private key. The HTTPS mode feature in moOde uses self-signed certs because obviously users can't be expected to install and administer a local CA server on their network.
Self-signed certs are easy to automatically generate and install into the web server but challenging to install on the client OS because its a manual process, and it differs depending on the OS.
Self-signed certs store their private keys locally on the computer running the web server which in our case is the Raspberry Pi running moOde. AFAIK it doesn't matter whether the cert is marked as a CA or not. What matters is keeping the private key secure.
In any case HTTPS mode is an experimental feature and we'll just have to see what shakes out.
As you wish.
