search

hydrusnetwork / hydrus

A personal booru-style media tagger that can import files and tags from your hard drive and popular websites. Content can be shared with other users via user-run servers.
http://hydrusnetwork.github.io/hydrus/
Other
2.4k stars 158 forks source link

Send intermediate certificates for API requests #1617

Open alethiophile opened 1 month ago

alethiophile commented 1 month ago

I've got the client API set up to use HTTPS, and I've gotten a certificate from LetsEncrypt to make it visible globally. The certificate is in the client.crt file, and that part works fine.

That certificate file contains the intermediates for LetsEncrypt that tie it to the certificate root. However, hydrus is only serving the first certificate, not the full chain. This means that many clients -- notably including the Python requests/urllib libraries used by hydownloader et al. -- can't verify the certificate. (It still works fine in a Web browser, presumably because they go to find the intermediates on their own.)

Would it be possible to make Hydrus provide the full certificate chain when there's more than one certificate in client.crt?

floogulinc commented 1 month ago

I'd highly recommend just using a reverse proxy that handles https well like caddy rather than relying on hydrus. (Also I wouldn't expose the hydrus API to the public Internet in general).

alethiophile commented 1 month ago

It's actually on a Tailscale VPN, which offers LetsEncrypt certificates for ease of browser use.

I'd been hoping to avoid setting up a reverse proxy on this machine, but I guess that probably is the quickest way.

floogulinc commented 1 month ago

If you're using tailscale you can use the built in reverse proxy: https://github.com/floogulinc/hydrus-web/wiki/Accessing-the-Hydrus-API-with-Tailscale-Serve