2

I'm developing a bat detector and I've set up the Raspberry Pi to operate its own Apache Web server on its own access point. The idea is that client devices can then connect to the access point to access the detector's features.

However, since the web server is running on http certain browsers are blocking some javascript code e.g. geolocation.

Things tried so far:

  • When I looked into LetsEncrypt I thought I could spoof a DNS entry in the /etc/hosts file to prove ownership of a domain and have a certificate created for that, however, this is not the case.
  • I've setup self-signed SSL certificates but these are not trusted by devices which connect to the Pi.

There is a similar question at https://www.raspberrypi.org/forums/viewtopic.php?t=195822 however one of its solutions, getting a certificate for a domain that I have registered somewhere else, will not work for me since I don't have any domains.

I was wondering since the Pis is an access point can I spoof a DNS entry of a certificate authority to get a certificate to work?

Are there any ways to give an internal web server operating on the access point is own SSL certificate which connected devices will trust?

I'm at a loss of how to deal with this. I'd prefer to have an SSL certificate over implementing workarounds in javascript for the blocked APIs. However, it looks like I may have to do that.

Improve this question
9
  • Can you add a trusted certificate to the devices trying to connect? That's the proper way to do it, I believe. Even if you spoof the DNS, nobody's going to give you the private key for their domain 🙂 Commented Apr 14, 2019 at 14:19
  • Also, do you need this to be secure? Isn't knowing the access point's password enough? Commented Apr 14, 2019 at 14:20
  • @MarkSmith While technically possible, the idea would be anyone could easily connect to the device. Requiring them to add a trusted certificate would put them through a lot of hoops. Unless there is a simple way to add certificates? From my perspective it dosn't have to be secure however Chrome needs it to be to access some javascript APIs Commented Apr 14, 2019 at 14:44
  • Use letsencrypt. The installer scripts for that do everything you need and you don't have to think about it. Commented Apr 14, 2019 at 17:41
  • @Dougie Will letsencrypy work without a domain registration? Surely they won't let you create certs for any arbitrary domain? Commented Apr 14, 2019 at 19:09

1 Answer 1

Reset to default
1

As I wrote in my answer to "Google Chrome's 'secure context' on a LAN?" on Stack Overflow, there are two ways to go about this. You may find one of them more practical than the other based on your personal tradeoff between time and money.

  • A. Operate a private internal certificate authority (CA) using OpenSSL or other CA software and use it to issue a certificate for your web server within a private internal domain name. The client devices will trust the certificates once you install this CA's root certificate on all client devices that will be accessing your server.
  • B. Purchase a domain name and DNS hosting and use the ACME dns-01 challenge to prove your ownership of this domain name to Let's Encrypt.

It may be possible to complete option B without payment by using a dynamic DNS provider that advertises itself as Let's Encrypt friendly. Look for a provider that offers TXT (the DNS record type used by the ACME dns-01 challenge) and PSL (Public Suffix List, used by Let's Encrypt rate limiting). As of second quarter 2020, Duck DNS was one such provider.

Improve this answer
1
  • Let's Encrypt and using certbot to keep the certificate updated is preferable, but worth mentioning you will need either a fixed IP or configure dyndns to keep your domain registration pointing to the right address from the provider/hosting service. Commented May 6, 2023 at 8:05

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.