Hardware: Old laptop or computer YunoHost version: 11.2.22 I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
Description of my issue
So, I’ve been using a raspi 4. I can only use a raspi 4 plugged into the ethernet port of my router, and therefore I can only port forward to my raspi. It’s a limitation in the standard att router, and not something I can fix. The raspi is also small enough that I can leave it next to the router without hassle. I want to keep it this way.
I was hoping to offload some work from the raspi (because sometimes it gets flooded and chokes, killing any access, even via ssh, especially with immich). Please see this kind-of-related github issue:
The issue starts here: I can not access the local webpage. I modify my hosts file, and correctly point it as I had done previously for my raspi 4, but I get hsts errors when I try to go to the domains. I have self signed certificates, but what’s the point if I can’t use them? I can not activate these domains via let’s encrypt, because I can not port forward to this machine.
My thoughts were to use the redirect app, have the raspi be a reverese proxy for this other machine. I have some questions about the exact way to do it, which I planned to test through trial and error so I had an understanding, but ultimately I get stuck because of HSTS. I do not know my way around nginx well enough to intuitively know what to change. I found a thread showing how to set up HSTS, so I think I’m going to try to follow that, but do the opposite.
On a side note, getting yunohost installed on this computer was surprisingly tumultuous. It went from writing partition errors to grub errors to UEFI errors, oh my. The raspi image installer was so silky smooth, kudos to whoever worked on that.
TL;DR How to disable HSTS? Doesn’t HSTS make the self-signed certificates useless?
Browsers also keep telling me, “But it is for your own good!”, even if I just want to access a trial page at a development laptop on my desk.
HSTS should break self signed certificates. Even so, if you don’t mind using a Chromium-based browser, I found this 5-years-old post that tells how you could, back then, circumvent the policy:
Probably it has been fazed out by now, but it may be worth a try.
Another option would be to get a certificate anyway. I have a couple of machines that are not accessible via the Internet, but that have a webpage anyway. That page would be inaccessible, because they wouldn’t have a valid certificate. Do you have your own domain, and access to its DNS? In that case you can use DNS-01 challenge.
Using DNS-01 I got valid certificates for addresses in private ranges. Downside could be that you’ll have to register the FQDN of your laptop/YNH-machine using the private IP in DNS. There are multiple threads over at the Letsencrypt fora, here is an example that ends in “solved” : DNS challenge and CN record - basics? - Help - Let's Encrypt Community Support (I didn’t read all of it, but it should give you some pointers).
Thank you for the response! I’ll be sure to look into getting a private-range certificate.
Fun fact: thisisunsafe has NOT been phased out. Just worked on an up-to-date Microsoft Edge installation 126.0.2592.113 (Official build) (64-bit). Thank you for bringing this to my attention, since now I can start to tinker!!!
And I agree that HSTS should break self-signed certificates, but I want self signed certificates to work, and therefore I do not want HSTS.
This issue is surely from yunohost’s side. HSTS is configurable, and defined by the server (I’m pretty sure). Yunohost explicitly says “WARNING: Current certificate is self-signed. Browsers will display a spooky warning to new visitors!”, and not “Warning: this domain will be entirely inaccessible until you get a certificate from a trusted CA”. On my raspi, I was able to access these pages without HSTS errors. Why is it different on this other machine? Even with your workarounds, I want to access this page via HTTP at times (it doesn’t deliver any sensitive info), and HSTS completely prevents that, even if you have a valid certificate.
Thank you again!!! Your response has enabled me to keep going!
In the file: /etc/nginx/conf.d/yunohost_admin.conf
remove the line that starts with more_set_headers "Strict-Transport-Security"
and bob’s your uncle.
I hold that this line almost goes against the entire purpose for self-signed certificates.
Edit: Got DNS-01 validation to work. The tricky part is doing a half-decent job integrating it with yunohost. I just deleted the self-signed certificates, and made a symbolic link to the certbot output. On that note, I had to install certbot for this, since I didn’t know how to use the yunohost integration. I hope that doesn’t cause problems down the line.
Unfortunately, Squarespace ruined what was once good, the desirable Google domains. I was silly and put the full certbot output in the DNS field. Silly me, if it tells you to put _acme-challenge.sub.domain.tld, you just put _acme-challenge.sub – the more you know.
But… It turns out that downstream DNS doesn’t matter. Looks like the upstream server (which I can access with regular yunohost-provided let’s encrypt) hijacks the keys. As long as it authenticates, the page loads without issue. This confused me prior, because as long as you have set an exception in firefox, reloading the page still give that “no encryption” warning.
sooo… looks like I really over-complicated this. Except the HSTS. That was wrong.
TL;DR if you have an upstream server with redirect, you should be good just getting that one a certificate.