I’ve a laptop running NixOS 23.05 with both Firefox and Brave browsers that can both access WAN/Internet-based HTTPS servers but neither can access a local server on my LAN via HTTPS for which I have a cert.
I’ve unsuccessfully tried a number of things including the following lines in my configuration.nix
Quick question: is that my-server.crt a self-signed server certificate? Because that option is for installing CA certificates into the system trust store.
I already have the cert from my LAN-based server and don’t need to generate a new one. I’m trying to find how/where to import my local server’s cert into NixOS so NixOS-based browsers can access/use them.
However, I’m still very new to NixOS and especially the Nix language.
Am I to run this script unmodified to obtain test diagnostics? If so, do I use Nix or Nix-Env?
I already have the cert from my LAN-based server and don’t need to generate a new one. I’m trying to find how/where to import my local server’s cert into NixOS so NixOS-based browsers can access/use them.
The browsers validate the server by checking if the cert. has been signed by a CA in the system “trust store”, which is a list of root CA certs.
If the server cert. is self-signed (not signed by any other root or non-root CA) it won’t validate and you get an error.
In some browsers you may be able to add an exception by pinning the fingerprint of the server certificate, but this is something you have to do manually and not every browser allows.
What you should do instead is to generate a CA keypar, generate another keypar for the server and sign it using the CA. The you add the CA to the trust store and browsers will validate the server as usual.