Fix SSL certificate generation for HTTPS mode

- wizard/setup now generate certs when HTTPS enabled - app.py has proper error handling for cert failures - Add custom SSL certificate documentation to INSTALL.md - Include SANs for hostname, localhost, and local IP Previously HTTPS could be enabled but certs weren't generated, causing SSL_ERROR_RX_RECORD_TOO_LONG browser errors. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-05 22:16:12 -05:00
parent 597a9c6411
commit 962c04084b
4 changed files with 145 additions and 3 deletions
--- a/rpi/first-boot-wizard.sh
+++ b/rpi/first-boot-wizard.sh
@@ -279,6 +279,32 @@ EOF
 "
 gum style --foreground 82 "✓ Service configured"

+# Generate SSL certificates if HTTPS enabled
+if [ "$ENABLE_HTTPS" = "true" ]; then
+  gum spin --spinner dot --title "Generating SSL certificates..." -- bash -c "
+    CERT_DIR='$INSTALL_DIR/frontends/web/certs'
+    mkdir -p \"\$CERT_DIR\"
+
+    # Get local IP for SAN
+    LOCAL_IP=\$(hostname -I | awk '{print \$1}')
+    HOSTNAME=\$(hostname)
+
+    # Generate cert with SANs for IP, hostname, and localhost
+    openssl req -x509 -newkey rsa:2048 \
+      -keyout \"\$CERT_DIR/server.key\" \
+      -out \"\$CERT_DIR/server.crt\" \
+      -days 365 -nodes \
+      -subj \"/O=Stegasoo/CN=\$HOSTNAME\" \
+      -addext \"subjectAltName=DNS:\$HOSTNAME,DNS:\$HOSTNAME.local,DNS:localhost,IP:\$LOCAL_IP,IP:127.0.0.1\" \
+      2>/dev/null
+
+    # Fix permissions
+    chmod 600 \"\$CERT_DIR/server.key\"
+    chown -R $STEGASOO_USER:\$(id -gn $STEGASOO_USER) \"\$CERT_DIR\"
+  "
+  gum style --foreground 82 "✓ SSL certificates generated"
+fi
+
 # Setup port 443 if requested
 if [ "$USE_PORT_443" = "true" ]; then
  gum spin --spinner dot --title "Setting up port 443 redirect..." -- bash -c "
--- a/rpi/setup.sh
+++ b/rpi/setup.sh
@@ -465,6 +465,31 @@ RestartSec=5
 WantedBy=multi-user.target
 EOF

+# Generate SSL certificates if HTTPS enabled
+if [ "$ENABLE_HTTPS" = "true" ]; then
+    echo "  Generating SSL certificates..."
+    CERT_DIR="$INSTALL_DIR/frontends/web/certs"
+    mkdir -p "$CERT_DIR"
+
+    # Get local IP for SAN
+    LOCAL_IP=$(hostname -I | awk '{print $1}')
+    PI_HOSTNAME=$(hostname)
+
+    # Generate cert with SANs for IP, hostname, and localhost
+    openssl req -x509 -newkey rsa:2048 \
+      -keyout "$CERT_DIR/server.key" \
+      -out "$CERT_DIR/server.crt" \
+      -days 365 -nodes \
+      -subj "/O=Stegasoo/CN=$PI_HOSTNAME" \
+      -addext "subjectAltName=DNS:$PI_HOSTNAME,DNS:$PI_HOSTNAME.local,DNS:localhost,IP:$LOCAL_IP,IP:127.0.0.1" \
+      2>/dev/null
+
+    # Fix permissions
+    chmod 600 "$CERT_DIR/server.key"
+    chown -R "$USER:$USER" "$CERT_DIR"
+    echo -e "  ${GREEN}✓${NC} SSL certificates generated"
+fi
+
 # Setup port 443 redirect if requested
 if [ "$USE_PORT_443" = "true" ]; then
    echo "  Setting up port 443 redirect..."