12-11-2024, 07:31 PM
(This post was last modified: 12-30-2024, 11:07 AM by the_bertrum.
Edit Reason: IOS root CA installation tested, Maximum age of the server certificate reduced so that Safari doesn't claim it isn't secure
)
The HTTPS mode in moOde is experimental, so bear that in mind. Also, the Automatic mode works nicely enough, but you may find that you still get warnings about self-signed certificates, or have bother importing them to your devices. I can't get Android to recognise them for example. What I present here is involved and time consuming, but it is also satisfying and I've got HTTPS working on all my players on all my browsers on all my devices.
BACKUP FIRST! You could end up with a player so secure you can't get in. Or more likely one that won't start for some reason. You may need to re-flash and start again.
Don't try this if you are a "cut and paste" king of guy. The commands presented here need reading and understanding so you can adjust them for your system as necessary.
Remember that HTTPS, Certificate Authorities, and browser certificate stores are there to keep you safe on the internet. This tutorial will be adding stuff into that system which is basically you telling your systems to trust you. You should only do that if you trust you, and if you are following this guide without understanding it then you are basically trusting me. I'm a nice guy, but don't trust me. Make sure you understand what is going on here so you know I'm not sneaking in a back door into your network for my own nefarious reasons.
With those warnings out of the way, on with the show.
---Setting up as a Certificate Authority----
Do all this work on your beefiest moOde player. All the tools you need are already on there, and it makes sense to set up your CA on one of the players that will be secured by it.
Let's begin by making somewhere to keep our files so we know where to find them.
Next we use openssl to create a private key that will be used to generate our root certificate. You will be asked for a passphrase to secure this and you can skip it, but don't. Use a passphrase and remember it (store it with your other important passwords). This will mean only people who know the password for your internal moOde CA will be able to generate keys
After entering your passphrase twice, you should have a new file in your new folder:
Now we create a root certificate from the private key. You will need to enter your passphrase (surely you haven't forgotten it already) and then answer some questions the answers to which don't really matter since only you will ever look at this certificate. The Common Name is the only one that really matters since that is what will appear as the name of the certificate when it is in your root CA stores on all your devices (more on that later). The command to create a CA that will last for 10 years (days = 3650) from your private key is this:
Here are the entries I put in for mine, feel free to be creative:
That's it, you are your own Certificate Authority. Only problem is no one else knows that yet and so they still don't trust you. Now, you could at this point try to get yourself registered along with all the other root CAs and then automatically be included in all OS and browser lists, but that isn't ever going to happen so don't think about trying. What you can do though is force all the devices in your local network to trust you, and that is in the end all you really want here. How you go about adding your root certificate to your devices varies with OS. Basically, you need to copy the moodeCA.pem file onto the device you want to make trust you, then run a command to add the file to your trusted store. Instructions for the some main OSes are thus:
Your moOde players, plus any other (ubuntu based) Linux machines:
You will be using the ca-certificates software, which is already on your moOde devices, and probably already on your other Linux boxes too, install it if not. Then:
Note we use sudo and that we have renamed the .pem to .crt. Then updating the root CA store with this command:
And finally check it there safely with this command (takes a second or two to run)
You may find that your browsers use their own certificate stores, and don't pay any heed to the system store you just updated. In this case, you need to add them to the browser store too. For Firefox:
Open settings, and go to the Privacy and Security section. Scroll to "Certificates" and press the View Certificates button. Select the Authorities tab and press Import. Select your moodeCA.pem file press open, select "Use for validating websites" and press OK.
In Chromium (and presumably its derivatives):
Settings/Privacy and Security/Security/Manage Certificates - Authorities tab, import, moodeCA.pem, use for websites.
Windows10/11, copy the moodeCA.pem to somewhere handy on the machine then:
Open the “Microsoft Management Console” by using the Windows + R keyboard combination, typing mmc and clicking Open
Go to File > Add/Remove Snap-in
Click Certificates and Add
Select Computer Account and click Next
Select Local Computer then click Finish
Click OK to go back to the MMC window
Double-click Certificates (local computer) to expand the view
Select Trusted Root Certification Authorities, right-click on Certificates in the middle column under “Object Type” and select All Tasks then Import
Click Next then Browse. Change the certificate extension dropdown next to the filename field to All Files (*.*) and locate the myCA.pem file, click Open, then Next
Select Place all certificates in the following store. “Trusted Root Certification Authorities store” is the default. Click Next then click Finish to complete the wizard.
If everything went according to plan, you should see your CA certificate listed under Trusted Root Certification Authorities > Certificates.
MacOS - I don't have any of these myself, but I'm informed that it can be done simply with this command:
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" moodeCA.pem
iOS - This method has been tested on an iPhone 14 IOS 18.1.1
Email the root certificate to yourself and then open it in the default mail app on your iOS device.
Open the attachment, it will prompt you to review the profile in the Settings app.
Open the Settings app and click Profile Downloaded near the top.
Click Install in the top right, and then Install again on the Warning screen.
Once installed, hit Close and go back to the main Settings page.
Go to General > About.
Scroll to the bottom and click on Certificate Trust Settings.
Enable your root certificate under “ENABLE FULL TRUST FOR ROOT CERTIFICATES”.
One final step needed for Firefox browsers on Android (and maybe IOS, I've not checked). Firefox will only trust the default CAs, you ned to ask it to trust "third party" ones, you are a third party in this scenario.
Open the Firefox browser on your phone, and from the three dot menu, choose "about". Tap the firefox logo five times to enable the "debug menu", then tap the back arrow and scroll down the "secret settings". In there you will find a toggle for "trust third party CAs" which you should enable.
Phew - you have done the hardest bit, setting up a CA and getting yourself trusted. Probably now is the time to take a break, rest on your laurels a bit, have some coffee, whatever you fancy. Next step is to sign certificates for all you players then upload them and turn on HTTPS.
---Generating certificates for your players---
So to begin, you need three files for each player, a Private Key that will be used to encrypt the traffic server side, a Certificate Signing Request (CSR) to ask the CA to create a certificate to go with your private key, and a parameter file that defines the extensions you want (EXT).
We create the CSR and the private key using the oppenssl utility with which we are already familiar. The commands look like this:
Private Key:
CSR:
In both these commands, replace moode.local as appropriate for your host names. Do this in the certs location on the moode player that you set up as the CA so you know where everything is.
The CSR command will ask the same questions as the CA did, again it doesn't matter what you answer except for the Common Name which should be your player name, so mine looked like this for my "Orpheus" player.
Notice I didn't provide a password here, that's not as important as the password on your CA is.
Now for the third file, the extentions. Using your favourite editor, create a file in your certs folder called moode.local.ext (substituting your host name for moode as appropriate). Into this file put the following:
The important bits that you need to adjust for your own use are [alt_names]. DNS.1 is <HOSTNAME>.local, DNS.2 is just <HOSTNAME>, IP.1 is the IP address of your player and is only of use if you have a reserved IP in DHCP or a static IP configured, IP.2 is the IP of the player when it is acting as a hotspot. You need here all the names that you will put in the address bar of the browsers that access the player.
Now to take these files and create a certificate from them that is signed by the CA that our network trusts. The openssl utility is once again our tool:
This will take in our CSR (which has the private key embedded), sign it using the CA certificate and key and write out a certificate (CRT) that is valid for 825 days (which is the maximum that Safari on IOS will consider secure) with the extensions in our EXT file. Obviously once again use the file names you created that match the name of your player. You will also be asked for the CA passphrase that you set up way back in the beginning. This is why that passphrase is important, you can't sign any new certificates without it, meaning no one but the passphrase holder can create certificates for their own purposes using your CA. You don't want other people creating their own certificates that everything on your network is going to trust do you? After this, you will have a moode.local.crt file, and a moodeCA.srl file. This last one is a store for serial numbers issued by your CA. If you make more certs, openssl will consult this to be sure it uses a new serial number for each one it makes.
Now for the final step, getting your certificate and key into the moOde player webserver. Here Tim has done the work for you, so simply download the .crt and .key files for your player onto your workstation, open the moOde interface and open the System Configuration page. In the HTTPS mode section, select Certificate type of "Manual". The interface will reload and give you an UPLOAD button, click this and use the file picker to locate the key and crt files select both and press open. Once again the interface will reload and confirm the names of the files you have uploaded. You will get a warning here if you have not uploaded both. Now press the INSTALL CERTIFICATE button to load these into the internal web server. You will get a "Certificate installed" Info box, and the files will clear from the UPLOAD section. Now you just need to switch on the HTTPS mode switch, wait for the confirmation and reboot. If all is present and correct, you will now be able to connect over https with no errors or warnings in any of your browsers.
Have fun. Questions or corrections welcome.
I largely based this guide on a Deliciousbrains blog and more information about importing certificates into browser stores is available.
BACKUP FIRST! You could end up with a player so secure you can't get in. Or more likely one that won't start for some reason. You may need to re-flash and start again.
Don't try this if you are a "cut and paste" king of guy. The commands presented here need reading and understanding so you can adjust them for your system as necessary.
Remember that HTTPS, Certificate Authorities, and browser certificate stores are there to keep you safe on the internet. This tutorial will be adding stuff into that system which is basically you telling your systems to trust you. You should only do that if you trust you, and if you are following this guide without understanding it then you are basically trusting me. I'm a nice guy, but don't trust me. Make sure you understand what is going on here so you know I'm not sneaking in a back door into your network for my own nefarious reasons.
With those warnings out of the way, on with the show.
---Setting up as a Certificate Authority----
Do all this work on your beefiest moOde player. All the tools you need are already on there, and it makes sense to set up your CA on one of the players that will be secured by it.
Let's begin by making somewhere to keep our files so we know where to find them.
Code:
mkdir ~/certs
cd ~/certs
Next we use openssl to create a private key that will be used to generate our root certificate. You will be asked for a passphrase to secure this and you can skip it, but don't. Use a passphrase and remember it (store it with your other important passwords). This will mean only people who know the password for your internal moOde CA will be able to generate keys
Code:
openssl genrsa -des3 -out moodeCA.key 2048
Code:
master@orpheus:~/certs $ ls -ltr
total 4
-rw------- 1 master master 1854 Dec 7 14:07 moodeCA.key
Code:
openssl req -x509 -new -nodes -key moodeCA.key -sha256 -days 3650 -out moodeCA.pem
Here are the entries I put in for mine, feel free to be creative:
Code:
master@orpheus:~/certs $ openssl req -x509 -new -nodes -key moodeCA.key -sha256 -days 3650 -out moodeCA.pem
Enter pass phrase for moodeCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:moOde
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:moodeCA
Email Address []:.
That's it, you are your own Certificate Authority. Only problem is no one else knows that yet and so they still don't trust you. Now, you could at this point try to get yourself registered along with all the other root CAs and then automatically be included in all OS and browser lists, but that isn't ever going to happen so don't think about trying. What you can do though is force all the devices in your local network to trust you, and that is in the end all you really want here. How you go about adding your root certificate to your devices varies with OS. Basically, you need to copy the moodeCA.pem file onto the device you want to make trust you, then run a command to add the file to your trusted store. Instructions for the some main OSes are thus:
Your moOde players, plus any other (ubuntu based) Linux machines:
You will be using the ca-certificates software, which is already on your moOde devices, and probably already on your other Linux boxes too, install it if not. Then:
Code:
sudo cp ~/certs/moodeCA.pem /usr/local/share/ca-certificates/moodeCA.crt
Note we use sudo and that we have renamed the .pem to .crt. Then updating the root CA store with this command:
Code:
sudo update-ca-certificates
And finally check it there safely with this command (takes a second or two to run)
Code:
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep moodeCA
Open settings, and go to the Privacy and Security section. Scroll to "Certificates" and press the View Certificates button. Select the Authorities tab and press Import. Select your moodeCA.pem file press open, select "Use for validating websites" and press OK.
In Chromium (and presumably its derivatives):
Settings/Privacy and Security/Security/Manage Certificates - Authorities tab, import, moodeCA.pem, use for websites.
Windows10/11, copy the moodeCA.pem to somewhere handy on the machine then:
Open the “Microsoft Management Console” by using the Windows + R keyboard combination, typing mmc and clicking Open
Go to File > Add/Remove Snap-in
Click Certificates and Add
Select Computer Account and click Next
Select Local Computer then click Finish
Click OK to go back to the MMC window
Double-click Certificates (local computer) to expand the view
Select Trusted Root Certification Authorities, right-click on Certificates in the middle column under “Object Type” and select All Tasks then Import
Click Next then Browse. Change the certificate extension dropdown next to the filename field to All Files (*.*) and locate the myCA.pem file, click Open, then Next
Select Place all certificates in the following store. “Trusted Root Certification Authorities store” is the default. Click Next then click Finish to complete the wizard.
If everything went according to plan, you should see your CA certificate listed under Trusted Root Certification Authorities > Certificates.
MacOS - I don't have any of these myself, but I'm informed that it can be done simply with this command:
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" moodeCA.pem
iOS - This method has been tested on an iPhone 14 IOS 18.1.1
Email the root certificate to yourself and then open it in the default mail app on your iOS device.
Open the attachment, it will prompt you to review the profile in the Settings app.
Open the Settings app and click Profile Downloaded near the top.
Click Install in the top right, and then Install again on the Warning screen.
Once installed, hit Close and go back to the main Settings page.
Go to General > About.
Scroll to the bottom and click on Certificate Trust Settings.
Enable your root certificate under “ENABLE FULL TRUST FOR ROOT CERTIFICATES”.
One final step needed for Firefox browsers on Android (and maybe IOS, I've not checked). Firefox will only trust the default CAs, you ned to ask it to trust "third party" ones, you are a third party in this scenario.
Open the Firefox browser on your phone, and from the three dot menu, choose "about". Tap the firefox logo five times to enable the "debug menu", then tap the back arrow and scroll down the "secret settings". In there you will find a toggle for "trust third party CAs" which you should enable.
Phew - you have done the hardest bit, setting up a CA and getting yourself trusted. Probably now is the time to take a break, rest on your laurels a bit, have some coffee, whatever you fancy. Next step is to sign certificates for all you players then upload them and turn on HTTPS.
---Generating certificates for your players---
So to begin, you need three files for each player, a Private Key that will be used to encrypt the traffic server side, a Certificate Signing Request (CSR) to ask the CA to create a certificate to go with your private key, and a parameter file that defines the extensions you want (EXT).
We create the CSR and the private key using the oppenssl utility with which we are already familiar. The commands look like this:
Private Key:
Code:
openssl genrsa -out moode.local.key 2048
Code:
openssl req -new -key moode.local.key -out moode.local.csr
The CSR command will ask the same questions as the CA did, again it doesn't matter what you answer except for the Common Name which should be your player name, so mine looked like this for my "Orpheus" player.
Code:
master@orpheus:~/certs $ openssl req -new -key orpheus.local.key -out orpheus.local.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:moOde
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:orpheus.local
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Notice I didn't provide a password here, that's not as important as the password on your CA is.
Now for the third file, the extentions. Using your favourite editor, create a file in your certs folder called moode.local.ext (substituting your host name for moode as appropriate). Into this file put the following:
Code:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = moode.local
DNS.2 = moode
IP.1 = <IP of your player>
IP.2 = 172.24.1.1
The important bits that you need to adjust for your own use are [alt_names]. DNS.1 is <HOSTNAME>.local, DNS.2 is just <HOSTNAME>, IP.1 is the IP address of your player and is only of use if you have a reserved IP in DHCP or a static IP configured, IP.2 is the IP of the player when it is acting as a hotspot. You need here all the names that you will put in the address bar of the browsers that access the player.
Now to take these files and create a certificate from them that is signed by the CA that our network trusts. The openssl utility is once again our tool:
Code:
openssl x509 -req -in moode.local.csr -CA moodeCA.pem -CAkey moodeCA.key -CAcreateserial -out moode.local.crt -days 825 -sha256 -extfile moode.local.ext
Now for the final step, getting your certificate and key into the moOde player webserver. Here Tim has done the work for you, so simply download the .crt and .key files for your player onto your workstation, open the moOde interface and open the System Configuration page. In the HTTPS mode section, select Certificate type of "Manual". The interface will reload and give you an UPLOAD button, click this and use the file picker to locate the key and crt files select both and press open. Once again the interface will reload and confirm the names of the files you have uploaded. You will get a warning here if you have not uploaded both. Now press the INSTALL CERTIFICATE button to load these into the internal web server. You will get a "Certificate installed" Info box, and the files will clear from the UPLOAD section. Now you just need to switch on the HTTPS mode switch, wait for the confirmation and reboot. If all is present and correct, you will now be able to connect over https with no errors or warnings in any of your browsers.
Have fun. Questions or corrections welcome.
I largely based this guide on a Deliciousbrains blog and more information about importing certificates into browser stores is available.
----------------
Robert
Robert