No internet connection
  1. Home
  2. General

Add SAN name to self signed TLS cert?

By @luckman212
    2024-04-12 13:30:36.473Zassigned to
    • @david

    Hello,

    I read https://tinypilotkvm.com/faq/own-tls-key/ but didn't find my answer there. I have a Voyager 2a with v2.6.3 and am using it with Tailscale for anywhere access. All working great! I use macOS.

    I'd like to avoid the big red Chrome warning by importing and trusting the self-signed TLS cert. But even after doing so, it barks at me and does not like it (Safari doesn't!)

    I think it may be because the DNS name I'm using to access the device via Tailscale (tinypilot.ts—a manual DNS name I created in my /etc/hosts file) is not present in the CN or SAN fields of the cert. Is there a way to regenerate the certs adding this entry? Or am I barking up the wrong tree here? Any ideas on how to make this work?

    Reply
    • 4 replies
    1. David @david2024-04-15 12:02:21.387Z

      Hi @luckman212, thanks for your question!

      I think it may be because the DNS name I'm using to access the device via Tailscale (tinypilot.ts—a manual DNS name I created in my /etc/hosts file) is not present in the CN or SAN fields of the cert.

      That sounds like it could be the issue. TinyPilot's cert is valid for its hostname, the .local variant, the .localdomain variant, and its static IP address (if applicable). So if you access TinyPilot's web interface with https://tinypilot.ts, the certificate won't be valid and your browser may flag that.

      You can add .ts as an additional Subject Alt Name by editing TinyPilot's cycle-nginx-tls-keys script, cycling your keys, and re-installing the cert on your client machine.

      To edit the script, SSH into your TinyPilot and run the following command to add .ts to the SAN in the script:

      sudo sed --in-place \
  's/^SUBJECT_ALT_NAME=.*/SUBJECT_ALT_NAME="DNS:${HOSTNAME}, DNS:${HOSTNAME}.local, DNS:${HOSTNAME}.localdomain, DNS:${HOSTNAME}.ts"/' \
  /opt/tinypilot-privileged/scripts/cycle-nginx-tls-keys

      Then run the script with the following command to regenerate your keys:

      sudo /opt/tinypilot-privileged/scripts/cycle-nginx-keys

      Once the script completes, re-install the cert on your client machine.

      If you update your TinyPilot's software, it will overwrite your changes to the script, so you may have to run through those changes again in the future.

      I hope that helps! Please let me know if that works and whether you have any questions.

      Reply1 Like
      1. L
        In reply toluckman212:
        @luckman212
          2024-04-15 14:48:56.908Z

          @david Awesome! Thanks for the help. This worked perfectly! I would only suggest that in a future release, a field for custom SAN name(s) would be safer than hand-editing the scripts.

          Reply
          1. David @david2024-04-15 18:09:15.713Z

            You're welcome! I'm glad it all works without issues.

            Thanks for the feedback! This is a pretty rare use case. However, I've created a new internal ticket to suggest functionality to add new subject alt names to TinyPilot's certificate. It's not on our short-term roadmap yet, but we’re always working to improve TinyPilot’s software and hardware. We prioritize features based on user demand, so we’ll definitely consider your feedback in our planning.

            Reply
            1. L@luckman212
                2024-04-15 18:25:25.206Z

                Understood, and thank you again.

                Reply
            ReplyAdd progress note