[FEAT] Replace self signed SSL certificate and also add to browser cert management

Question

[FEAT] Replace self signed SSL certificate and also add to browser cert management

avoiceofreason opened this issue a year ago · 6 comments

Is this a new feature request?

I have searched the existing issues

Wanted change

Please add documentation to provide the simplest way to replace the existing self signed SSL certs for Webtop docker image with new generated self signed certs and then add cert authority into browser cert management

Reason for change

Require browser to access local webtop docker service without "unsafe" browser flag and to have my own self signed certs that match my local server name e.g. server01.local
Do not want to add unnecessary proxy layer with separate nginx and ssl certs.
Unsure exactly how existing certs are generated and configured

Proposed code change

Looks like webtop uses nginx with certs located in /config/ssl (cert.key and cert.pem)

I don't know enough about certs but assume it is something like:

1.Generate CA's e.g. private key cert.key and then root cert cert.pem
2.Generate site private key and csr
3.Use all of the above to generate a signed cert .crt
4.Configure nginx to use signed cert for site e.g. site key and site crt
5.Import ca .pem into browser as authority

Documentation for linux user to perform all the above. Appreciated.

Answer 1 · 2024-01-15T20:02:12.000Z

Our recommendation is to use a reverse proxy:
https://docs.linuxserver.io/general/swag/

Answer 2 · 2024-01-16T08:56:53.000Z

As stated in the ticket I do not want to use an unnecessary proxy server.

However no matter I have now managed to work out how to add new self signed certs.

I have documented the process. Let me know if you are interested in the docs.

Answer 3 · 2024-01-16T13:43:52.000Z

What I meant was we are not interested in adding that info to the docs because we recommend a reverse proxy.

Thanks for the offer, though.

Answer 4 · 2024-03-21T19:35:52.000Z

@avoiceofreason Could you possibly share your documentation? I am trying to do the same thing without a reverse proxy (even though I know a reverse proxy is the official recommendation). Thanks!

Answer 5 · 2024-03-26T16:36:45.000Z

Figured out how to do this. @aptalca, I know you recommend a reverse proxy, so if you would really rather this information not be out there for some reason, I can certainly take it down. I did want to share how I did this in case it would be useful to others.

The default LinuxServer.io certs are located in /config/ssl. To replace them, I simply mounted my certs to the location of the existing certs and then started the container. Here is some example code within my compose.yml file:

volumes:
    - ./WebTop:/config
    - /var/run/docker.sock:/var/run/docker.sock #optional
    - /path/to/your/certs/fullchain.pem:/config/ssl/cert.pem # map public key to cert.pem
    - /path/to/your/certs/privkey.pem:/config/ssl/cert.key # map private key to cert.key

You can also simply replace the text inside of cert.pem and cert.key, however you will need to run docker restart for the changes to take effect.

Answer 6 · 2024-03-26T22:31:13.000Z

Posting here is fine. But we won't add it to the readme or docs.