How to get secured access to OctoPrint - easy

For the longest time, I have been accessing Octoprint using http://octopi.local/ in my browser's address bar. However, that always gave me a “not secure” address.

However, this morning I’ve now found that if instead of connecting to http://octopi.local/ I just needed to connect to https://octopi/ ( add the ‘s’ after http and remove the '.local' ) to get a secured connection.

When I clicked on the lock icon on the address bar and viewed the certificate, I found the certificate it was using was 'Bitdefender Personal CA.Net-Defender’. I am using Bitdefender Total Security as my antivirus program on my computer that I am connecting from. In any case, problem solved for me.

Hope this will be of help to others too.

1 Like

That sounds like your "Bitdefender Total Security" is actually performing what is commonly referred to as a Man-in-the-Middle Attack to rewrite the certificate installed on OctoPi (and frankly that would be a reason for me to switch to a different security suite), because that is actually self signed, generated on first boot and has also been mentioned in various places in the available documentation.

So just to make this perfectly clear, OctoPrint does not ship with SSL, the reverse proxy on OctoPi however has a self-signed and uniquely generated certificate installed, which is also why https is only an option instead of the default, because self-signed certificates generate quite scary warnings in modern browsers (a topic I could spend hours talking about but won't here). However, it is mentioned in the installation instructions and even on the command line when using SSH or similar.

tldr: OctoPrint does not in fact ship with a certificate signed by "Bitdefender Personal CA.Net-Defender"

Also just for the record, a thread on why no, I can't just ship a certificate that doesn't cause scary warnings in the browser:

@foosel - thanks, I am no security expert for sure.

However, when I first tried this Bitdefender did pop up a window saying the site was unsafe or the certificate invalid or something like that - I can't remember exactly. However, it gave me an option to accept it, which I did. When now I look into my BitDefender exceptions the ip address of my raspberry running octoprint is listed. My guess is that Bitdefender did not rewrite the certificate installed on OctoPi on the Raspberry itself, rather it was whitelisted on my PC for use by my PC, and now is using one it automatically created itself as a proxy. But again, I am no security expert.

Also, I just noticed the certificate being used has a creation date of today, and an expiry date into next week. It will be interesting to see what happens next week, do I get another pop-up window, or does Bitdefender automatically create a replacement?

In any case, if you can tell me where the certificate on my Raspberry is, and what it should be, I can confirm if that is what it is, or not, on my Pi.

I think this only 'works' when you allow bitdefender to install a CA authority in your browser which accepts any self signed certificate as valid.
From a security perspective the very purpose of certificates is to make your browser balk when someone tries to insert an unknown certificate in your communication. Apparently Bitdefender disables that protection, treating the ssl security as a cosmetic issue and helps automating MITM attacks.

The alternative would be to follow the small-print link of the initial warning that https://PRINT.HOST uses a self signed certificate and allow a permanent exception for this certificate. Or else, be your own Certificate Authority and make Firefox or Chromium-based Browsers trust it.