12-06-2024, 10:28 AM
(12-06-2024, 10:22 AM)Tim Curtis Wrote:(12-06-2024, 08:02 AM)the_bertrum Wrote:(12-05-2024, 07:35 PM)Tim Curtis Wrote: Regarding "The first hurdle was using the automatic mode, the certificate generated there just would not install on my phone". What errors did you get?
The Automatic mode cert is a self signed cert thats generated by /var/www/util/gen-cert.sh
Code:#!/bin/bash
#
# SPDX-License-Identifier: GPL-3.0-or-later
# Copyright 2014 The moOde audio player project / Tim Curtis
#
# Template
OPENSSL_CFG_FILE=/tmp/moode-selfsigned.conf
cat >> $OPENSSL_CFG_FILE <<EOF
[ req ]
default_bits = 2048
encrypt_key = no
default_md = sha256
string_mask = nombstr
prompt = no
distinguished_name = req_dn
req_extensions = req_ext
[ req_dn ]
commonName = $HOSTNAME.local
[ req_ext ]
basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment, nonRepudiation
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @req_sans
[ req_sans ]
DNS.1 = $HOSTNAME.local
DNS.2 = $HOSTNAME
IP.1 = 172.24.1.1
EOF
# Create cert
SSL_CSR_FILE=/tmp/moode.csr
SSL_CRT_FILE=/etc/ssl/certs/moode.crt
SSL_KEY_FILE=/etc/ssl/private/moode.key
openssl req -new -config $OPENSSL_CFG_FILE -out $SSL_CSR_FILE -keyout $SSL_KEY_FILE
openssl req -x509 -days 3650 -config $OPENSSL_CFG_FILE -in $SSL_CSR_FILE -key $SSL_KEY_FILE -out $SSL_CRT_FILE -extensions req_ext
# TEST: Add to chromium-browser trust store
#sudo apt -y install libnss3-tools
#CERT_NICKNAME=moOde self-signed cert
#certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n $CERT_NICKNAME -i $SSL_CRT_FILE
# TEST: Add to RaspiOS/Debian trust store (needed?)
#sudo cp $SSL_CRT_FILE /usr/local/share/ca-certificates/
#sudo update-ca-certificates
Some googling and it looks like there are a lot of reports about broken PWA on Android/Chrome...
Not good.
As far as the site.manifest file goes, here is a line from the release note from 4.2.0 way back in 2018
Code:################################################################################
#
# 2018-09-27 moOde 4.3.0 (Stretch)
#
################################################################################
Bug fixes
- FIX: Webmanifest ref breaks Add to Home on IOS
The certificate generated by the automatic method would not import into Android, the certificate import routine returns "private key required".
It definitely worked after 2018, so maybe the manifest isn't strictly needed after all. Either way it seems https is a must.
Does it just generate the error message and then done or are you prompted to import the private key file?
A message and then done would suggest Android needs the private key embedded in the cert. I think it's just a --keyout param in the openssl command that generates the cert.
There's no option to import a key, it just dumps you back out again.
----------------
Robert
Robert