Description

After setting up the Reverse Proxy, you probably noticed your web browser warning you about an invalid certificate or your connection not being private, perhaps with error message NET::ERR_CERT_AUTHORITY_INVALID. As you experiment with more services, you'll find some of them don't work at all on https, or only offer limited functionality.

There are two ways of solving this: buy a domain name and get a TLS certificate from a Trusted Root Certificate Authority (e.g., LetsEncrypt), or create your own Certificate Authority certificate and install it on all your devices.

Note: TLS is the successor to SSL. You will often see people using them interchangeably.

tl;dr Version

This should be the quickest way of generating a self-signed certificate, but I suggest reading through the explanation below, as it helps to understand what exactly you're doing here.

mkdir -p ~/tls/wildcard4
cd $_

cat << 'EOF' >> csr.conf
[req]
distinguished_name = dn
req_extensions = req_ext
prompt = no

[dn]
C = ZA
ST = State
L = Locality
O = Crganisation
OU = Organisational Unit
CN = proxmox.box

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = proxmox.box
DNS.2 = *.proxmox.box
EOF

# Create a private key and Certificate Signing Request (CSR)
openssl req -newkey rsa:2048 -nodes \
    -config csr.conf \
    -keyout wildcard4.key \
    -out wildcard4.csr

# Sign the CSR using the root CA's private key
openssl x509 -req -sha256 \
    -CA /etc/pve/pve-root-ca.pem \
    -CAkey /etc/pve/priv/pve-root-ca.key \
    -CAcreateserial \
    -days 3650 \
    -copy_extensions copyall \
    -in wildcard4.csr \
    -out wildcard4.crt

rm wildcard4.csr

What now?

You now have two files:

• wildcard4.key - The private key.
• wildcard4.crt - The signed TLS certificate.

This certificate is valid on your internal network for any domain ending in proxmox.box. You just need to:

1. Give both the signed certificate and its matching private key to nginx Proxy Manager
2. Every device accessing it needs to trust your root CA certificate (pve-root-ca.pem)

For step 1 head back to the section on nginx Proxy Manager. Step 2 follows below here.

Trusting Certificates on Windows

In an elevated prompt, run:

Import-Certificate -FilePath 'pve-root-ca.pem' -CertStoreLocation 'Cert:\LocalMachine\Root'

If you prefer using the GUI:

• Open Certificate Manager by running certmgr.msc
• Navigate to "Trusted Root Certification Authorities"
• On the menu, select Action > All Tasks > Import...
• Place all certificates in the following store: "Trusted Root Certification Authorities"
• You should be prompted: "You are about to install a certificate from a CA claiming to represent Proxmox Virtual Environment"

Trusting Certificates on Linux

• Get a copy of the public certificate.
• If it's not in .crt format, convert it from .pem to .crt:
  • openssl x509 -in pve-root-ca.pem -inform PEM -out pve-root-ca.crt
• Copy it to the folder: /usr/local/share/ca-certificates/
• Run the command: update-ca-certificates
• Test that it works:

wget https://192.168.100.2:8006

Trusting Certificates on Android

• Copy the certificate to your phone's storage.
• To install, just double tap the certificate in a file browser.
• When installing, choose "VPN or Apps".
  • "WiFi certificate" is for 802.11 authentication.

Removing a Certificate on Android

• To remove a user installed certificate, open Settings and navigate to:
  • Passwords & Security > Privacy > Encryption & credentials > Credential storage > User credentials

Why, How and What?

• Why: Your browser and your servers want to ensure their connection is secure.
• How: Your browser trusts Certificate Authorities. Therefore any certificate they've signed, your browser will trust. If your browser trusts a certificate, it can create a secure connection with a server that owns the certificate (i.e., holds the private key).
• What: Your server creates a Private Key and a Certificate Signing Request. It sends the CSR to the Certificate Authority. The Certificate Authority verifies your identity, and if it is satisfied, signs the CSR which results in a Signed Certificate. It then returns the Signed Certificate to the server.

How does this secure the connection?

• The browser connects to the server and the server sends it a copy of its TLS certificate.
• The browser checks to make sure the TLS certificate was signed by a Certificate Authority it trusts.
• The browser generates a symmetric session key, and encrypts this using the server's certificate. It then sends this encrypted session key to the server.
• The server decrypts the encrypted session key using the private key that corresponds to its certificate.
  • Anyone can encrypt data using the TLS certificate, but only the corresponding private key can decrypt data.
• Now that both the browser and the server have a decrypted copy of the session key, they both encrypt their traffic using it.
• Once the connection is closed, they discard the session key.

LetsEncrypt and ACME Protocol

Let's Encrypt is a non-profit Certificate Authority that provides certificates free of charge. Using the Automatic Certificate Management Environment protocol, the request and renewal of certificates can be automated using tools such as certbot.

See Also

External Links

• SSL, TLS, HTTPS Explained - YouTube
• Manually Generate a Certificate Signing Request (CSR) Using OpenSSL - SSL.com