I am setting up my print server again with Pi. This time I am trying to do it right. Instead of just accepting a security exception, I used openssl to create a certificate authority, imported that and the pkcs12 certificate to firefox. Firefox still say the CA is untrusted, and in Chrome, the message is:
no plus ones
- Yup. One solution is to use a trusted cert (can be pricey).
Here is an "on the cheap" solution. We use Pi's internally to test website code (using the the same certs that our external servers use).
OK, so use a domain name, and get a free cert from let's encrypt. If you do not want to expose your Pi to the WAN, you can use a cheap VPS session like Digital Ocean in a few minutes (cost like a penny - free with a promo code that gets you like $10 in credit) to point domain.com to the VPS, then get the cert and then transfer the cert to the RasPi.
So long as the Pi (and the machine calling it) resolves to the domain name (even using an internal non routable IP), the cert will work fine. We just tar.gz the etc/letsencrypt folder on the digital ocean droplet, and move it to the pi (and untar.gz it).
Our internal machines then can use the host file that can point domain.com to the internal pi.
Plug: the $10 promo code for the free Digital Ocean credit is here: https://code4sale.com/sbc/
(disclaimer : I get something back if you manage to ever spend enough money at Digital Ocean for them to pay me for the referral).
Just a thought.
JoeOct 24, 2016
- Thanks for the input. Seems like a security exception and keeping the Pi just on a LAN would work out too. Very interesting idea though. I would think that this would have come up somewhere online before.Oct 26, 2016