Comment on How do I securely host Jellyfin? (Part 2)
litchralee@sh.itjust.works 1 week ago
I previously proffered some information in the first thread.
But there’s something I wish to clarify about self-signed certificates, for the benefit of everyone. Irrespective of whichever certificate store that an app uses – either its own or the one maintained by the OS – the CA Browser Forum. which maintains the standards for public certificates, prohibits issuance of TLS certificates for reserved IPv4 or IPv6 addresses, among others. See Section 4.2.2.
This is because those addresses will resolve to different machines on different networks. Whereas a certificate for a global-scope IP address is fine because it should resolve to the same destination. If certificate authorities won’t issue certs for private IP addresses, there’s a good chance that apps won’t tolerate such certs either. Nor should they, for precisely the reason given above.
A proper self-signed cert – either for a domain name or a global-scope IP address – does not create any MITM issues as long as the certificate was manually confirmed the first time and added to the trust. Thereafter, only a bona fide MITM attack would raise an alarm, the same as if a MITM attacker tries to impersonate any other domain name. SSH is the most similar, where trust-on-first-connection is the norm, not the outlier.
There are safe ways to use self-signed certificate. People should not discard that option so wontonly.
catloaf@lemm.ee 1 week ago
It sounds like the clients do not have the ability to manually trust a self-signed cert.
N0x0n@lemmy.ml 1 week ago
I don’t get that… What or where?
I have self-signed SSL certificate and intermediateCA installed on all my devices and works flawlessly with every application that accept those (on android the manifest.XML has to allow user based certificate which is in most cases).
One exception on Android was the use of MPV which doesn’t do that and never will? However, the web player video type from official application works without issues…
I have navidrome, jellyfin, Ironfox, LibreTube, KoReader, Findroid… All work flawlessly with self-signed certs !
The issue here (as said in the second post of his linked jellyfin post) is that them needs a reverse proxy that takes care of the SSL handshake and not jellyfin directly. So OP was missing a lot good information in them’s first post…
catloaf@lemm.ee 1 week ago
If it’s signed by an intermediate CA, then it’s not self-signed.
N0x0n@lemmy.ml 1 week ago
Huh? Yeah it is… It’s a self-signed intermediate CA, signed by a self-signed rootCA.
In my case a miniCA in my lan.