I’m just so annoyed of fighting this all the time.

If I can’t figure this out I’m going to disable all https redirecting and all certificate errors off so I can have some peace

EDIT: I do not wish to manage certificates I do not want to setup private key infrastructure I don’t want to use real internet domain names I don’t want to manually install certificates into browsers after fishing them out of my ephemeral virtual machines

I just want to, add exception for *.lan for https auto redirect and auto-accept self-signed certificates as valid. This is not much to ask.

  • ulterno@lemmy.kde.socialBannedEnglish
    0·
    10 months ago

    For the certificate errors, just add a root CA of your own making.
    Disabling auto-https, no idea. Maybe fix the source?

    • Carighan Maconar@lemmy.world
      3·
      10 months ago

      Yeah I was about to say, just do https? It’s not like getting a certificate is still a big deal in modern times, hasn’t in years.

    • ReversalHatchery@beehaw.orgEnglish
      1·
      10 months ago

      does not sound like a good idea. your own CA can sign certs for any other sites too, and it’s dangerous.

      I would say it’s even more dangerous of you just think “nah, it’ll be fine”

        • ReversalHatchery@beehaw.orgEnglish
          1·
          10 months ago

          but it’s their CA so why would they do that?

          I don’t mean them specifically, but that to me managing access to such a CA cert’s keys is security nightmare, because if I somehow get an infection, and it finds the cert file and the private key, it’ll be much easier for it to make itself more persistent than I want it.

          But if you don’t trust your own CA what’s the point of having a CA?

          That’s the point. I don’t recommend having one. I recommend self signed certs that are

          • limited to a lan (sub)domain or a wildcard of it
          • you verified by the fingerprint (firefox can show this)
          • you only allowed for those of your internal services for the cert was intended

          Or if you don’t want to deal with self signed certs, buy a domain and do lets encrypt with the DNS challenge.
          That’s also more secure, but can be more of a hassle, though I guess it depends on preference.

          But then I would use this latter one too if I had opened any services to the internet, but I didn’t because I don’t need to.

            • ReversalHatchery@beehaw.orgEnglish
              1·
              10 months ago

              I’m in a home environment. I don’t have a TPM*, I don’t have yubikeys. And no, certificates won’t be placed on a lot of servers, as

              • I have only one, 2 if you count the raspberry
              • both of them uses a wildcard for its own subdomain, so other servers wouldn’t be affected anyway
        • ReversalHatchery@beehaw.orgEnglish
          1·
          10 months ago

          forgot this part

          P.S. I’m guessing OP doesn’t actually have a CA and is just using simple self signed certificates without any private CA that has signed them.

          I assume that too, however the person I responded to recommended using a full fledged CA cert.

        • ulterno@lemmy.kde.socialBannedEnglish
          0·
          10 months ago

          P.S. I’m guessing OP doesn’t actually have a CA and is just using simple self signed certificates without any private CA that has signed them.

          You’re right. I’m talking about making a certificate using gpg and storing it on your system. Then adding it to the root CA list and signing all your Local SSH stuff with it.