Custom SSL certificate

Discuss Advanced use case
1

Hello,

I want my yunohost container to server ssl cert. In my old config it was a reverse proxy which served the ssl cert but that created bugs for some apps (like ttrss of funkwhale).

Config

I have a nginx reverse proxy which manage my ssl certificates. I want yunohost to use the certificates generated by the reverse proxy. So I copy the cert from my reverse proxy to my yunohost container in /etc/yunohost/certs/domain.tld/

When I do yunohost domain cert-status the CA and summary are good.

Problem

  1. My android apps are asking to validate a certificate but the sha256 isn’t the same than crt.pem file present in /etc/yunohost/certs/domain.tld/
    Where is store the crt file yunohost use ?

  2. I have funkwhale installed in a subdomain (so he has his own certificate). when I try to reach it, the browser give a SSL_ERROR_BAD_CERT_DOMAIN. When I look what is the certificate, the sha256 isn’t the good one, and it look like it’s an old ssl certificate I used for another domain…

So here is my question : How to be sure that yunohost take the ssl certificate we paste in/etc/yunohost/certs/domain.tld/ into account ? How to check where are the certificates it use for each domain ?

Other info

Nginx conf of the reverse proxy :

server {
    listen          443 ssl;
    server_name gafamfree.party;

location / {
        proxy_pass         https://192.168.1.13;
        proxy_redirect     off;
        proxy_read_timeout 60s;
        
        proxy_set_header          Host            gafamfree.party;
        proxy_set_header          X-Real-IP       $remote_addr;
        proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;

        client_max_body_size 50M;
}

error_log /var/log/nginx/gafamfree.party_error.log;
access_log /var/log/nginx/gafamfree.party_access.log;

}

server {
    listen 80;
    server_name gafamfree.party;
     location /{
               rewrite  ^/(.*)$  https://gafamfree.party/$1  permanent;
    }
}


server {
    listen          443 ssl;
    server_name audio.gafamfree.party;

location / {
        proxy_pass         https://192.168.1.13;
        proxy_redirect     off;
        proxy_read_timeout 60s;

        proxy_set_header          Host            audio.gafamfree.party;
        proxy_set_header          X-Real-IP       $remote_addr;
        proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;

        client_max_body_size 50M;
}

error_log /var/log/nginx/audio.gafamfree.party_error.log;
access_log /var/log/nginx/audio.gafamfree.party_access.log;

}

server {
    listen 80;
    server_name audio.gafamfree.party;
     location /{
               rewrite  ^/(.*)$  https://audio.gafamfree.party/$1  permanent;
    }
}

Thx :smiley:

1 Like