SteveLTN
commented
3 years ago Hi, This is not an unreasonable request. However I'm a bit busy in the coming weeks. I will pick this up later. In the mean time, pull-requests are welcome.
Closed markovendelin closed 2 years ago
SteveLTN
commented
3 years ago Hi, This is not an unreasonable request. However I'm a bit busy in the coming weeks. I will pick this up later. In the mean time, pull-requests are welcome.
hsimpson
commented
2 years ago Also consider to add needed X509 extensions to make Chrome happy:
-addext "subjectAltName = DNS:<SPECIFIC_DOMAIN_NAME>,IP:127.0.0.1" -addext "extendedKeyUsage = serverAuth"
SteveLTN
commented
2 years ago This was actually a bug. The code snippet you posted was for a dummy certificate, not intended for local use. However, it managed to carry itself to the end stage :-) This was fixed in 1.19.1.
As for you second suggestion, I encounterred two issues:
-addext "subjectAltName = DNS:#{},IP:127.0.0.1" -addext "extendedKeyUsage = serverAuth" to the command, it returns an error: x509: Unrecognized flag addext. Could you try and figure out the right command for this?I don't think you can ever make Chrome to accept a self-signed certificate though.
hsimpson
commented
2 years ago This was actually a bug. The code snippet you posted was for a dummy certificate, not intended for local use. However, it managed to carry itself to the end stage :-) This was fixed in 1.19.1.
Fine, I will try after 1.19.1 will be released/published to Dockerhub
When I added -addext "subjectAltName = DNS:#{},IP:127.0.0.1" -addext "extendedKeyUsage = serverAuth" to the command, it returns an error: x509: Unrecognized flag addext. Could you try and figure out the right command for this?
-addext is available with openssl req since 1.1.1, see: https://www.openssl.org/docs/man1.1.1/man1/req.html
I don't know for sure what you IP is. Many people run docker in a VM or on a remote server. I guess this can be configured by adding another environment variable, but that seems to be too complicated to use.
I will try with the -addext "extendedKeyUsage = serverAuth" at least to check if it is possible to proceed on chrome with the self signed cert
I don't think you can ever make Chrome to accept a self-signed certificate though.
Not out of the box, but with 1.19.0 and STAGE=local you can not proceed on macOS
hsimpson
commented
2 years ago Ok another information. 1.19.1 fixes the individual certs with correct CN, this is fine. 👍
To get the local self signed CERTS working in Chrome on MacOS (to get the "Proceed" button in the warning)
You only need the extendedKeyUsage = serverAuth" extension.
Unfortunately I can not getting to work with a CSR, only when generating the CERT without CSR: openssl req -x509 -newkey rsa:2048 -nodes -out ./signed.crt -keyout ./domain.key -days 90 -batch -subj "/CN=mydomain.localhost" -addext "extendedKeyUsage = serverAuth"
Some sites suggest to use a config file for openssl to get this working with a CSR:
@SteveLTN would it be possible to bring this in?
You can check the CERT via openssl x509 -text -in signed.crt there should be an entry like:
X509v3 Extended Key Usage:
TLS Web Server AuthenticationI will give it a try.
SteveLTN
commented
2 years ago I released 1.19.2. Should fix this. Also deployed to my test site: https://https-portal-test.steveltn.me/
hsimpson
commented
2 years ago I released 1.19.2. Should fix this. Also deployed to my test site: https://https-portal-test.steveltn.me/
I would try this on monday.
hsimpson
commented
2 years ago I released 1.19.2. Should fix this. Also deployed to my test site: https://https-portal-test.steveltn.me/
I would try this on monday.
It works fine, thanks.
In some cases, it makes sense to use https-portal for services that are available only on local network. As self-signing is baked in with
STAGE: local, it works already.However, would be great to have an ability to specify at least CN in the generated certificate. It looks to me that CN is hardcoded to
default-server.example.com(see code).Please make it possible to specify it via environment variable.