new subcommand to generate SSL certificates easily

totaam commented 1 week ago

This subcommand can be called by the post-installation scripts, simplifying:

Could be very useful for WebTransport - if we can figure out how to make the browsers accept the certificates: https://github.com/Xpra-org/xpra-html5/issues/143#issuecomment-2183972669

The only downside is that in my experience, mkcert is easier to manage - at least for local testing.

We already have #3299 for accepting certificates per-host in the Python client. Perhaps this could be enhanced too: qrencode the certificate hash for easier verification?

It would be neat if we could use this to generate a SSL certificate + key on a remote host and install the certificate on the local system. Something like:

xpra setup-ssl ssh://host/

stdedos commented 1 week ago

The only downside is that in my experience, mkcert is easier to manage - at least for local testing.

Package a go dependency? 😝🤣

totaam commented 1 week ago

Package a go dependency? 😝🤣

No chance, but depending on a mkcert package wouldn't be too bad. Except there isn't one for RPM, so that's a non-starter.

stdedos commented 1 week ago

It would be neat if we could use this to generate a SSL certificate + key on a remote host and install the certificate on the local system.

Without https://github.com/FiloSottile/mkcert, I think you will be re-inventing the wheel 😓

... especially if you would somehow expect that the package lands on LTSs of all of the OSes you support by "not your actions"

totaam commented 1 week ago

Without https://github.com/FiloSottile/mkcert, I think you will be re-inventing the wheel 😓

No, for the python client, all the plumbing is already in place for accepting certificates, even the GUI: #3305, #3299

For the html5 client, things are going to be more complicated no matter what - because browsers. Invoking mkcert if installed is an option, and showing a warning if it's not.

Xpra-org / xpra

new subcommand to generate SSL certificates easily #4288