A question related to self-signed certs for self-hosted apps

thermatix

I currently self host a password vault called Alias-Vault. I chose it because it was honestly the easiest and most straight-forward server-based password vault to set up.
But there is an issue, I can't use the alias-vault android app because Android rejects my self-signed certs; SSL-cert issues caused by being self-signed in this case isn't as much of an issue as I only ever access it via my personal tail-scale. Tail-scale encrypts all data going through it and external access is disabled so as far as I know it's not an issue.

I could use let's encrypt (there's a built in facility do this with alias-vault) but this won't work as it requires some external access for the challenge and well, I don't need that as no external access.

I did also try to download and manually add my self signed certs to my phone's cert store but that made no difference, the app refused to connect to my server where I'm hosting alias-vault.

Now I can access alias-vault via my phone's browser but it's not very convenient; so with all that in mind, can I force GrapheneOS to allow self-signed certs so I can get alias-vault android app to work on GrapheneOS?

GrouchyGrape

thermatix this is an alias-vault (likely intentional) limitation. Self-signed certs aren't as secure. If you own the domain, you can download and install a publicly trusted cert, even if you're not going to access it externally. Annoying part is you have to manually reinstall certs as they expire. There are lots of utilities that can automate that, however.

thermatix

@GrouchyGrape according to the Dev of alias-vault this is caused by Android (google's android maybe) where it reject's self-signed cert.

The automation thing is why I liked alias-vault, it has that semi-built in, you still have to do it manually but it's set up as a single command you run (and configured), and it just does it.

I admit I'm new to self-hosting and a bit ignorant to a lot of this.

That's why I'm asking if GrapheneOS can be configured to allow specific self-signed certs on a case-by-case basis?

ttmp01928

I also overcame this, using LetsEncrypt. my biggest challenge was not wanting to open up ports on my edge firewall at home. You can use something like cloudflare (even if they are not the registrar you purchased the domain with) to automate offline domain validation and download new certs automatically every 3 months. This is free and is a one-time setup. (aside from the cost of the domain)

Below is what mine looked like... afterwards, boom green locks inside the house without needing external access, and all my app clients play nice. nginx reverse proxy for all my self-hosted apps. You can even just use DNS on pfsense (or whatever home router you use) to tell your devices where your server is.

#sudo ln -s /var/lib/snapd/snap /snap
sudo snap install certbot --classic
#sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo snap set certbot trust-plugin-with-root=ok

#sudo certbot certonly --manual --preferred-challenges dns

sudo certbot certonly --manual --preferred-challenges dns --force-renewal --register-unsafely-without-email --agree-tos --domains *.[YOUR_DOMAIN]
#restart nginx to load new certs
sudo nginx -t
sudo systemctl restart nginx.service

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/[YOUR_DOMAIN]/fullchain.pem
Key is saved at: /etc/letsencrypt/live/[YOUR_DOMAIN]/privkey.pem
This certificate expires on XXXXXXX.
These files will be updated when the certificate renews.

https://davidaugustat.com/web/set-up-lets-encrypt-on-intranet-website

Put in host override on pfsense:
Services -> DNS Resolver -> Host Overrides

Automating Let's Encrypt with DNS-01?
https://certbot.eff.org/instructions?ws=nginx&os=snap&tab=wildcard
https://certbot-dns-cloudflare.readthedocs.io/en/stable/
https://bjornjohansen.com/wildcard-certificate-letsencrypt-cloudflare/

#assuming you have certbot installed already as above
sudo snap install certbot-dns-cloudflare

#get API key with DNS Zone edit rights from Cloudflare portal
sudo mkdir /root/.secrets/
sudo chmod 0700 /root/.secrets/
sudo chmod 0400 /root/.secrets/cloudflare.ini
sudo nano /root/.secrets/cloudflare.ini

Cloudflare API token used by Certbot

dns_cloudflare_api_token = 0123456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx123

sudo certbot certonly --dry-run --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini --domains *.[YOUR_DOMAIN]

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini --dns-cloudflare-propagation-seconds 15 --domains *[YOUR_DOMAIN]

#check if there is a crontab entry
systemctl list-timers