Yes! Thank you! I updated some wording to reflect that 
Still a useful tutorial for someone who might want to rotate their keys out.
True. I was just worried that the fact that this is already there was somehow overlooked 
Any way to revert to the default certs?
Not unless you backed up the files, if you overwrote the original files you won't be able to to. But this is the script that is run on initial boot to complete the process.
This may be a completely stupid question on my part, but why do you go through all the trouble and not just use the standard self signed certificates that comes with the OctoPi image?
There is a necessary section of haproxy.cfg missing from this guide. How did you configure the backend? what goes after backend octoprint.
...
backend octoprint
????
There are no changes required to the backend sections, SSL is all done on the front end.
Hi, I know this is probably old news, but I amended my haproxy.cfg line to remove support for the insecure TLS v1.0 (mainly to stop my network monitoring system alarming :-))
Just change this line in the frontend public section to add the no-tlsv10 at the end.
bind :::443 v4v6 ssl crt /etc/ssl/snakeoil.pem no-tlsv10
Hope it helps.
2 Likes
This was super helpful, thank you!
In case this helps others...
To copy the cert from the pi to your local computer:
scp pi@octopi.local:/etc/ssl/octopi.local.cer /etc/ssl/octopi.local.cer
To trust the cert on your Mac from the command line:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /etc/ssl/octopi.local.cer
1 Like
Hey hey, so i know this guide's a little old, but im pretty sure it's still valid, anyway!
I have followed the steps in this guide but am getting an "ERR_SSL_PROTOCOL_ERROR"
Any ideas on what i'd be doing wrong?
One thing i wanted to double check
In the sudo openssl req -new -x509 -sha256 -key......
the "IP.1:...."
is that your devices static local IP address?
regardless i tried once with local IP and then public IP...
both still giving me the same error in the browser
Is there a way of getting a cert from another place like cloudflare or something similar?
Yes, it is possible to get a certificate from one of the authorities but an SSL certificate cannot be issued for Reserved IP addresses (RFC 1918 and RFC 4193 range)/ private IP addresses (IPv4, IPv6), Intranet for Internal Server Name, local server name with a non-public domain name suffix.
So if you had one of these certificates then your OctoPrint instance would be publicly accessible which is a bad idea.
It is possible to get around the public facing non-secure aspect of that by using your own internal DNS server. I do that now with with my pihole server and point the name to the internal private IP.
What certificate authority are you using?
I am still using my own trusted root certificate authority that I've manually imported into windows with a Dynamic DNS service.
late to the party here and sadly not very savvy on the pi. still here i am, muddling my way through all this techno, hopeful for a positive outcome. i do love this little hobby of mine, even when it gets me in high waters of what the ???
trying to find my 'newly created certs' and get past the NET::ERR_CERT_AUTHORITY_INVALID
is this post a reference on defaulting these settings? or a post denoting how to genderate an SSL certificate?
the command you are quoting is one for copying a file from the pi to your local machine. If you are on a windows machine I would recommend using winscp or filezilla ftp client to remotely connect to the pi and transfer the file over to import into your local device to get around that error message.
You can use FileZilla in place of SCP
Hi,
I know this is an old post, and hopefully someone can help.
I have followed the instructions and got https working, and it get to the login page but cant log in. I can log in on http, just not on https.
Not sure where I have gone wrong, have check the setup several times.
Cheers