[QUESTION] Something related to the status check of self-signed https services

[qhgary]

Question

This is the best dashboard project for personal use, and I cann’t drop it after my first try. Thanks a lot to the author.
There’s one small problem I encountered when I added the status check to the appconfig.

Those http services can be successfully checked with no problem, but those https services cannot. There’s a prompt “UNABLE_TO_VERYIFY_LEAF_SIGNATURE” when I move the mouse over the item.

I run dashy on my own local network, on which there’re my other local services. I used self-signed signature to enable secure access and should I import the pub key to dashy? and how? I can’t find the solution in the doc.

Category

Status Checking

Please tick the boxes

• You are using a supported version of Dashy (check the first two digits of the version number)
• You've checked that this question hasn't already been raised
• You've checked the docs and troubleshooting guide
• You agree to the code of conduct

[liss-bot]

If you're enjoying Dashy, consider dropping us a ⭐
_{🤖 I'm a bot, and this message was automated}

[CrazyWolf13]

Hi
Will look into this as well and test for myself.

But I really really strongly suggest you to look into nginxproxymanager or any other similar reverse proxy, they can manage certificate renewal and automatically add them to all your services.

But here is the part in the docs that explains how to add a ssl cert:
https://dashy.to/docs/management/#auto-ssl

[qhgary]

cert:

Let me clarify one thing:
I’d like to use dashy to check the other https services rather than accessing dashy via https.

Say, there’s one https service accessing via https://emby.nas (it will be redirected to http://192.168.0.2:xxxx)
I’ve generated a self-signed CA root and signed it.
What I’d like to know is how can I import the pub key into dashy to enable the status check of https://emby.nas. It seems the default setting cann’t enable dashy to check it. But when I fill in “http://192.168.0.2:xxxx” in the status check url, there’s no problem.

There’s no problem in my local dns and I’ve already checked it. There’re dozens of items like this, so I cann’t fill in all the IP one by one and I may also change the IP in the future.

I can also open “https://emby.nas” using the browser on my computer after importing the CA pub key into my computer. So the CA cert is also OK and I just need to know how to import it into dashy to enable it check the other https services on my local network.

Thanks a lot and expect to your response.

[CrazyWolf13]

If you can verify dns works then you can add this option:
statusCheckAllowInsecure: true

As described here:
https://dashy.to/docs/status-indicators/

[qhgary]

If you can verify dns works then you can add this option: statusCheckAllowInsecure: true

As described here: https://dashy.to/docs/status-indicators/

It seems that the option is for http rather than https? The HTTPS which I wanna check is self-signed using my CA. And those HTTPS can be accessed via PC browser after importing self-signed CA pub key.

This is what I see in the doc you gave:
“If the URL you are checking has an unsigned certificate, or is not using HTTPS, then you may need to disable the rejection of insecure requests. This can be done by setting statusCheckAllowInsecure to true for a given item.”

[qhgary]

good news. I've partially resolved it!
Just export NODE_EXTRA_CA_CERTS=/path/to/file/selfsigned-CA.pem

All the https services can be checked now, terrific!

But there's only one https service failed: jackett!
I've no idea what's the reason, and the service is OK and can be opened successfully by clicking. (local address: https://jackett.nas) So I think there's no problem with my local DNS or https service itself. But the status check is failing with this prompt like "ERR_FR_TOO_MANY_REDIRECTS"

What does it mean? How to resolve it?

[CrazyWolf13]

What does it mean? How to resolve it?

That should be fairly straightforward, in the UI editor there is an option redirects, you can set it to a higher number like 10 and test again.

https://dashy.to/docs/configuring/#sectionitem

It means the site redirected a bit more than dashy allows to, but this can easily be set higher.

[CrazyWolf13]

If you can verify dns works then you can add this option: statusCheckAllowInsecure: true

As described here: https://dashy.to/docs/status-indicators/

It seems that the option is for http rather than https? The HTTPS which I wanna check is self-signed using my CA. And those HTTPS can be accessed via PC browser after importing self-signed CA pub key.

This is what I see in the doc you gave:
“If the URL you are checking has an unsigned certificate, or is not using HTTPS, then you may need to disable the rejection of insecure requests. This can be done by setting statusCheckAllowInsecure to true for a given item.”

That is not correct,
A lot of services include self signed certs, for example pfsense, portainaer, those certs are not signed by anyone, so the browser shows a message when visiting the service-> unsecure connections or so, even if it is https and if you run on http you also can enable this function to allow dashy to check those.

[qhgary]

What does it mean? How to resolve it?

That should be fairly straightforward, in the UI editor there is an option redirects, you can set it to a higher number like 10 and test again.

https://dashy.to/docs/configuring/#sectionitem

It means the site redirected a bit more than dashy allows to, but this can easily be set higher.

I cannot find how to modify it in the UI so I try to modify the config.yml instead.

do you mean modify it like this? But the validator shows error :"should not have additional property: statusCheckMaxRedirects"
{
"title": "jackett",
"icon": "hl-jackett",
"url": "https://jackett.nas",
"statusCheckMaxRedirects": 10,
"id": "2_851_jackett"
},

[CrazyWolf13]

You first have to click enable status check in the UI, then the option should appear :).

[qhgary]

You first have to click enable status check in the UI, then the option should appear :).

And in fact the appConfig already set status check to default, should I click "enable status check" again to enable the statusCheckMaxRedirects" option?
Then,
I clicked "enable status check"
save it to the file
rebuilt the project
open it again
there's "enable status check", but no "statusCheckMaxRedirects" option

[CrazyWolf13]

Let me test this, will get to this in 2 hours when I'm home. There should actually be an option, have used it myself.

[CrazyWolf13]

For me it looks like this:
To be honest, not fully sure why you are not seeing those options, are you running the latest dashy?

@Lissy93 Have you got any idea here?

[qhgary]

It's very strange that although I wrote "latest" tag in the docker-compose file, I still pulled the wrong version which is not 3.0.0.
I changed the "latest" tag to 3.0.0 and the "status check - Max Redirects" appear now.

But the jackett problem still exists, even I changed the number to 10. I got "ERR_FR_TOO_MANY_REDIRECTS" prompt when I put cursor over the item. When I click the item, there's no problem to open jackett.

Or, is there any method that I got green light even I got "ERR_FR_TOO_MANY_REDIRECTS" error, just ignore this specific error.

[CrazyWolf13]

Hmm good to see, that the option is now there.

Is there any specific subpath, you need to take when entering jackett?

Like jackett.nas/login if so the change the statuscheck URL.

Can you write inspecting what html code you get in your browser when you are not logged into jackett, e.g. what happens when a not logged in user visits jacket.nas ? Can you see a green 200 OK in developer tools->network tab->reload the page

[qhgary]

good idea！

[rmdes]

NODE_EXTRA_CA_CERTS=/path/to/file/selfsigned-CA.pem

Where do you put this in a docker-compose context ?

[slaszt]

NODE_EXTRA_CA_CERTS=/path/to/file/selfsigned-CA.pem

Where do you put this in a docker-compose context ?

First of all, you need to mount the certificate files inside the container.

Say that you have your certs at /etc/ssl/certs on your local machine. You need to put a line in your docker-compose.yml under the volumes section to mount that directory inside the container.

Next, you need to declare the environment variable and set its value under the environment section.

Here is an example:

services:
    dashy:
        image: ghcr.io/lissy93/dashy
        container_name: dashy
        volumes:
            - /etc/ssl/certs:/app/user-data/certs
        environment:
            - NODE_EXTRA_CA_CERTS=/app/user-data/certs/selfsigned-CA.pem