Generation of self-signed certificates

typoworx-de commented 4 years ago

Is your feature request related to a problem? Please describe. I'm running docker instance in intranet/private-network and require https for some docker-instances (like docker-registry). The private-lan runs on TLD ".lan" so it's not possible to use letsencrypt by routing domain-name over router as letsencrypt only supports domains/tld's reachable from intranet.

Describe the solution you'd like I noticed nginx-proxy-manager already supports custom-certs which is awesome! I would love to have an additional option in that dropdown in section "SSL Certificates" that could be named "Create self-signed certificate" and then routes this request to f.e. the linux-tool mkcert.

https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/

mkcert my-private-domain.lan

Describe alternatives you've considered I could run mkcert on my local machine and manually upload the cert-files into nginx-proxy-manager.

Additional context I think I'm not the only user who runs a docker instance in private/lan and think this feature would support/help other users as well.

typoworx-de commented 4 years ago

As a short proof-of-concept I've run a shell-console on my nginx-proxy-manager docker instance trying this:

[root@docker-nginx-ssl-proxy:/usr/local/bin]# wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.1/mkcert-v1.4.1-linux-amd64

[root@docker-nginx-ssl-proxy:/usr/local/bin]# mv mkcert-v1.4.1-linux-amd64 mkcert

root@docker-nginx-ssl-proxy:/usr/local/bin]# mkcert *.typoworx.lan
Using the local CA at "/root/.local/share/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "*.test.lan"

Reminder: X.509 wildcards only go one level deep, so this won't match a.b.typoworx.lan ℹ️

The certificate is at "./_wildcard.typoworx.lan.pem" and the key at "./_wildcard.typoworx.lan-key.pem" ✅

bitsvital commented 3 years ago

For now I use minica. It's super easy. Just spin up an ubuntu:20.04 docker. I have all the instructions written out. If you want the instructions just message me and I'll send them over to you. https://github.com/jsha/minica

WillJBrown commented 3 years ago

I'd be interested in those instructions if it automates the process a little more than what typoworx-de described

jc21 commented 3 years ago

The mkcert binary is shipped with the docker image, but it's not used by the software yet. I was planning to add it as an option on the SSL dropdown, but other things have taken more priority. PR's are welcome :)

bitsvital commented 3 years ago

I'd be interested in those instructions if it automates the process a little more than what typoworx-de described

Hi @WillJBrown , I actually created a docker image that does it for you. I have all the instructions typed out in the repository. You can use the docker image or just spin up a Ubuntu image yourself and the instructions are about the same. If you run into any problems, questions, or need any help just let me know. I’ll be more than happy to help you. Here is the the docker image. https://hub.docker.com/r/bitsvital/minica-bv

WillJBrown commented 3 years ago

Thanks for that @bitsvital. I got it working today thanks to your page. you might like to clarify that the cert you have to share to clients is the root minica one whereas the one npm needs is the domain specific one. Also thanks to you @jc21 for npm - It's made all the local proxies I set up today so much easier. I don't know any web dev otherwise I would definitely work on a pull request to get this implemented. My knowledge is more in c#, fortran, python, etc. apologies.

bitsvital commented 3 years ago

@WillJBrown no problem. Thanks for the FYI. I will update that this evening. Feel free to contact me anytime if you need further assistance.