NPM is not saving certificates in /ssl/ folder
AlixerVolkov opened this issue · 16 comments
Problem/Motivation
addons are going to the default ssl path and NPM is not generating the certificater there.
Expected behavior
addons read this folder for getting the proper private and certificate.
Actual behavior
I tried to copy the full path \addon_configs\e399101c_nginxproxymanager\letsencrypt\live\npm-3 (its an example) and pasted in adguard or anyhother addon, its not zorking.
Steps to reproduce
Proposed changes
save the certificates like Duckdns addon in the proper /ssl/ path and merging all certificates in a single pem file
Good question, how should addons like adguard or vaultwarden working with the new location of the certificates?
Hi @MartinKuhl
I moved manually all my certificates to /ssl folder, renamed to (its an example), unifi.pem, adguard.pem... and reconfigure every related addon. Its a workaround and its working for me
Regards,
I did something similar but this is no solution I want to do after each certificate renewal
Hi all 👋
This is no longer supported and will also not return.
The add-on is now self-contained, which means the backups/restore are now complete too. This won't be possible with the request above.
The right way to handle this, is to use the reverse proxy to terminate SSL on other interfaces (in the end, that is the main purpose of this reverse proxy to begin with).
../Frenck
Hi @frenck I am a little bit confused. The question was regarding the location where the certificates are stored. You answer is not pointing to this specific question. Could you please explain how we now should move to generated certificates?
It is not possible to point from the other addons the the new location.
No comments...
Hi @frenck I am a little bit confused. The question was regarding the location where the certificates are stored.
No, it was not. Let me share a screenshot of the issue:
The actual new storage location is in there as well (\addon_configs\), which is related to: "addons are going to the default ssl path and NPM is not generating the certificater there.", which is correct. The add-on no longer stores it there. My answer was exactly towards the issue description.
Could you please explain how we now should move to generated certificates?
I'm not following that question? This add-on always mostly relied on Let's Encrypt. Certificates are always generated?
It is not possible to point from the other addons the the new location.
Correct.
../Frenck
the main question is how should we move the generated certificates so that other addons can access them under /ssl?
I am trying a shell script to perform a copy action. Any other suggestions?
the main question is how should we move the generated certificates so that other addons can access them under /ssl?
As responded above, you cannot anymore.
Instead, use this add-on for what it is, reverse proxy to terminate SSL (SSL-offload) on an add-on instead.
../Frenck
the main question is how should we move the generated certificates so that other addons can access them under /ssl? I am trying a shell script to perform a copy action. Any other suggestions?
In one word - manually. Another option - self signed certificates, which can be generated by openssl
- wireguard provides own tool:
Option: server.private_key (optional)
Allows you to provide your own base64 private key generated by wg genkey. This option supports the use of !secret. If you don't supply one, the add-on will generate one for you and store it in: /ssl/wireguard/private_key.
- for adguard - it's not clear what do you mean, if a purposes is just get access to UI via https, then why you do not use proxy for this, as @frenck suggest. Otherwise i see only one option where it can be used - DNS-over-TLS - and selfsigned should be enough for it.
The main idea is that you should use different certificates for independent hosts, even if they are virtual, for Security Isolation. If one certificate is compromised, it does not affect the security of other.
A difference between self-signed certificate and issued by "Let's Encrypted" only is that the last is issued by validated authority. Web browsers will accept it without annoying warnings for users, otherwise responsibility to validate certificate is delegated directly to user by clicking on "Continue anyway" button or closing tab.
Because of this using single wildcart certificate from "Let's Encrypted" by NPM is more than enough for proxing all your WEB UI or API services through internet 443 port via your sub-domains. For other services which you wanna have access from internet via dedicated ports (OpenVPN, Wireguard, L2TP, etc.) should have their own certificates, no matter self-signed or issued by other authorities.
Moreover, you are constantly using self signed certificates while use ssh connection, under the hood visual code server, etc, i don't see a big deal in this.
So if someone would like to have single certificate for all stuff on homeassint hosts, then he must figure out by himself since it does not look as general approach. Predicting further question: if it has worked earlier, it does not mean that it was correct.
Thanks for your explanation.
Adguard is maybe not the best example. Let's look to Vaultwarden. To access the web ui or to use the Bitwarden apps, self-signed certificates are not enough.
I did not use Vaultwarden before, have installed just now and don't see issue to reach it through NPM with LE certificate. Please, describe more details if you have some.
Maybe I am stupid but in the addon configuration you have to define a path with certificate. The addon forces a location under /ssl but NPM write the certificates under /addon_config
I tried to write copy script but /addon_config is not accessible from the HA supervisor
Certificate is required only if option-ssl) is enabled
For vaultwarden you have to enable it to access the web ui
Nope, it's an optional you may use disable it, remove https port and reach by http