Add SSL certificate

[iHumberto]

When I access the web ui through the HTTPS port we receive an warning that the connection isn't secure. Would be awesome if we can add a self-signed certificate to avoid these warnings.

I already have a self-signed certificate that i use with my portainer to avoid these warnings, but I can't find where i can set this certificate in SpeedTest Tracker.

[alexjustesen]

@alexdelprete are you using a self-signed cert in your process?

[alexdelprete]

When I access the web ui through the HTTPS port we receive an warning that the connection isn't secure. Would be awesome if we can add a self-signed certificate to avoid these warnings.

A self-signed certificate will always give you a warning, because they're not trusted by an authority, being self-signed. Maybe you meant a trusted certificate? Who issued it?

@alexdelprete are you using a self-signed cert in your process?

No, it doesn't make sense for me since I use a reverse proxy that does TLS termination with a wildcard certificate issued by cloudflare.

[iHumberto]

Well, in my case the certificate wont give me any error. As I said I already use a self-signed certificate in my portainer, without any warning. I created a CA and added to the trusted CA in my machine, that way I avoid this warnings. I use a self-signed bc my acces it's only inside my network, I dont need to have access to this through the internet, so I can't create a certificate with let's encrypt os something else.

[alexdelprete]

and what benefit do you have from accessing in your LAN through https to an internal service not exposed to internet? I never understood this "SSL-everywhere" wave...but it's just me. :)

Anyway, you said you used your self-signed cert, but omitted saying you installed also a CA cert. Anyway, this should be doable with any server/container, I don't know if current project (based on Laravel) supports self-signed CA certs too. @alexjustesen is the maintainer, he has to decide if he wants to offer and document this functionality.

UPDATE: since NGINX is being used as webserver, I think it is possible to use self-signed certs, also CA certs. But the config has to allow users to copy certs in a specific dir with a specific config.

[alexdelprete]

@alexjustesen if you want to allow user certificates, here's how LinkAce does it, basically you map a volume to the /certs folder and then modify nginx.conf to map those certificates:

The only thing is that he's mentioning trusted certificates, not self-signed CA certs, but probably the fullchain cert can be created with an embedded CA cert. It is to be tested.

[iHumberto]

Oh, my bad. I omitted the CA cert bc doesn't make sense for me create a self-signed certificate without create a CA cert and trusted it. The warnings will persist 😅 and for me the most annoying part is have to click "I undestand the risk, continue....." everytime I access this resources.

I created the CA cert and the self-signed just because my portainer instalation wont let me access without an https connection and i coudn't find where is the problem yet.

[alexdelprete]

The warnings will persist

exactly, that's why I didn't understand your post initially. Now I see the point, thanks for clarifying it for me. :)

I created the CA cert and the self-signed just because my portainer instalation wont let me access without an https connection and i coudn't find where is the problem yet.

I understand. But ST will allow you to connect to port http/80. :)

I would suggest to setup a reverse proxy, it would allow you to overcome these kind of issues.

[iHumberto]

I thought that reverse proxy was only to redirect external connections... I'll look this, maybe with NGINX or Traefik I could do that? (and will be more easy the access to all my apps with a domain, instead of using the host ip).

[alexdelprete]

Reverse Proxies don't distinguish internal/external, just like a web server...they see a client connection on the port. where it's coming from, is up to you.

I use Traefik MAINLY for my internal homelab, I only publish one minor service for me when I'm not home. :)

[iHumberto]

Thanks man.... I'm new on self-hosting so I didn't knew this.... Thanks a lot.. I'll search about it, will help me to do a better management of my resources and applications.

[alexdelprete]

No problem, my pleasure. Search for Techno Tim on youtube. ;)

https://www.youtube.com/watch?v=liV3c9m_OX8

Please close the issue if it's ok for you.

[iHumberto]

Thanks for the tip. I know his channel but didn't knew he has a video about it. I'm closing this issue.

[alexdelprete]

@iHumberto if you want to use certificates, it's easier than I thought, actually I had already done it in the past because I didn't like that self-signed certs were recreated at startup every time, so I mapped a volume folder to the cert folder. The only thing that you have to experiment with is the CA certificate, if it's a known CA, the system should already have it, if not, you have to tinker a bit.

See my old post for details: https://github.com/alexjustesen/speedtest-tracker/issues/104#issuecomment-1303309176

@alexjustesen Maybe we should add this to docs.

[iHumberto]

@alexdelprete I'll look this. Thanks a lot.

I bought a domain bc there is one app I would like to put in the web (vaultwarden, to host my passwords) and I found that a need a domain to be able to do that. That video from Tim helped me a lot to understand what I have to do. Unfortunately I found out that my router sucks and I'll need a new one. But now I know what I need to do and what I have estou change in my network to make everything works fine.

[alexdelprete]

yeah...I started your journey 2y ago. VaultWarden was one of the first services of my homelab.

I recommend you to use cloudflare for the domain, and Traefik as a rev. proxy, and then with cloudflare you can use cloudflared, so you don't have to open ports on the firewall. It's really great. If you want to selfhost, you need a good router and a stable internet connection.

If you need some advice you can reach me on discord: alexdelprete#5566 or telegram: @alexdelprete