1

To keep it short. I have a web server running (lighttpd on my Raspberry Pi), I want to be able to HTTPS to this IP from another device (PC - arch). For this I am trying to just use self-signed certificates by creating Certificate Authority and server certs.

Here is what I tried and my current setup:

192.168.1.218 (RPI):

#CA
openssl genrsa -aes256 -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3065 -out ca.crt

#Server
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile server.cfg

server.cfg contents:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = 192.168.1.218
DNS.2 = <external IP>

lighttpd config as per docs - https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL:

server.modules += ("mod_openssl")
$SERVER["socket"] == ":443" {
    ssl.engine  = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/server/server.crt"
    ssl.privkey = "/etc/lighttpd/ssl/server/server.key"
    proxy.server = ( "" => ( ( "host" =>  "127.0.0.1", "port" => 8008 ) ) )
}

Once I had the setup in place, I copied ca.crt from RPI (192.168.1.218) to PC (192.168.1.36) and installed it in Arch following the docs: https://wiki.archlinux.org/title/User:Grawity/Adding_a_trusted_CA_certificate#System-wide_%E2%80%93_Arch,_Fedora_(p11-kit)

Now I try to connect using curl, but I get a certificate error:

curl https://192.168.1.218
curl: (60) SSL certificate problem: certificate is not yet valid
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The same for curl https://192.168.1.218 -cacert ca.crt. Only using the -k option (insecure) am I able to connect and fetch response successfully. Is there anything I have missed?

RPI lighttpd version: lighttpd/1.4.69 (ssl) - a light and fast webserver (RPI)

PC Arch curl version curl 8.8.0 (x86_64-pc-linux-gnu) libcurl/8.8.0 OpenSSL/3.3.0 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.62.1 nghttp3/1.3.0 Release-Date: 2024-05-22

Improve this question
4
  • "curl: (60) SSL certificate problem: certificate is not yet valid" check the clocks of all the machines involved. Commented Jun 4, 2024 at 10:34
  • How did you know it was the time issue? I had to enable automatic time synchronisation on my Arch PC, and then the error went away. Thank you. Now another issue that I will try to solve is something complaining about the DNS - curl: (60) SSL: no alternative certificate subject name matches target ipv4 address '192.168.1.218' More details here: curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. Commented Jun 4, 2024 at 10:49
  • "is not yet valid" is pretty explicit about the certificate not being valid at this point in time :) Commented Jun 4, 2024 at 10:52
  • Thanks again, I've been struggling with this for so long. To fix the IP issue. You have to change the cfg - instead of DNS in .cfg file you have to pass IP. Example: [alt_names] IP.1 = 127.0.0.1 Commented Jun 4, 2024 at 11:01

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.