Are self-signed certificates supported?

[pimlie]

The readme says:

You must configure TLS with a reverse proxy in front of MollySocket. Molly can only connect to the server over HTTPS.

But should self-signed certificates be supported? Cause it seems they are not.

Im using caddy's tls internal option as my server is not publicly accessible and in my browser I get a response {"mollysocket":{"version":"1.2.0"}} after having confirmed the security warning about the self-signed certificate.

But in molly I keep getting the error MollySocket server not found. After enabling debug logs in caddy I see the following error logged:

DBG ts=n.n logger=http.stdlib msg=http: TLS handshake error from x.x.x.x:yyyy: remote error: tls: unknown certificate

So I guess that's because molly doesn't trust the self-signed certificate? Is there any way to resolve this, preferably without having to install caddy's self-created CA root on my phone?

[p1gp1g]

Allowing cleartext requests or self-signed certificates requires to change the networking configuration of molly, which is something we want to avoid.

You should try getting a signed certificate with certbot (Let's Encrypt), it is pretty simple

[pimlie]

Thanks for the quick reply. I hate to ask you this but as I just cannot find anything on how to do this, could you please give some pointers on how to create a letsencrypt certificate for a private server/ip that's not publicly available?

Eg do you mean to use a wildcard certificate with DNS validation? Or to somehow proxy acme challenge requests? Cause on this page https://letsencrypt.org/docs/certificates-for-localhost/ it seems letsencrypt also suggests it's not possible to use them for a private host. See also this section https://letsencrypt.org/docs/allow-port-80/, the issue is that on this server ports 80 & 443 are just not publicly accessible.

which is something we want to avoid.

I guess that makes sense, is it also because the network client in molly is used for both communication with the signal servers as mollysocket? So if molly f.e. would have an option to manually add a trusted certificate key then that certificate key could potentially also be used to intercept traffic to the signal servers? And it would be too much work to create separate network client instances for requests respectively from molly to signal and from molly to the unifiedpush endpoint?

[p1gp1g]

Well, it may be possible to allow self-signed. Allowing clear text is different since you have to set cleartextTrafficPermitted to true for the all app.

For the certificate, you can use a wildcard certificate (with DNS challenge). Some domain registrars provide one with a domain too. You can also use a tcp tunneling application, or expose an empty HTTP server for the ACME challenge.

[jwjenkin]

I'll be that guy and ask for self-signed to be allowed 🙂granted, it would have to be an "advanced" option, but I sign all my bits locally around my network, most of which is only accessible via a wireguard connection that is on when I leave the network.