SSL on ip-adresses: net::ERR_CERT_AUTHORITY_INVALID

[coderofsalvation]

  websocat -E -b -s --pkcs12-der ~/.websocat/q.pkcs12 0.0.0.0:9090 2>&i1 

I can connect succesfully on my local machine (from webpage https://localhost:8080/index.html with a websocket client)
However, when I load that same webpage on another device via its external ip (`https://192.168.0.44:8080/index.html), then the webbrowser fails and throws:

WebSocket connection to 'wss://192.168.0.44:9090/' failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID

This seems no issue when using real domains, certificates, or reverse/websocket proxies.
However, just out of intranet curiosity: is there an easy way to get websocat encryption with IP-adresses?

[vi]

How q.pkcs12 was obtained? Maybe it was generated from /etc/ssl/private/ssl-cert-snakeoil.key or was previously marked as trusted in that browser?

encryption

If you need just encryption (protection against passive attacks, but not against active connection proxying), then -k or a per-message encryption would suffice.

In any case the proper way to use TLS in intranet would be using your own CA and adding its certificate where needed across the intranet.

[coderofsalvation]

/etc/ssl/private/ssl-cert-snakeoil.key <--- 😆

sorry for providing incomplete info, here's how it was generated:

  test -f ~/.websocat/cert.pem && return 0
  mkdir ~/.websocat 2>/dev/null || true
  echo "--- generating temporary SSL certs (press enter to all questions) ---"
  openssl req -x509 -newkey rsa:2048 -new -nodes -keyout ~/.websocat/key.pem -out ~/.websocat/cert.pem -days 3650
  openssl pkcs12 -export -out ~/.websocat/q.pkcs12 -inkey ~/.websocat/key.pem -in ~/.websocat/cert.pem

[vi]

This looks like a simple self-signed certificate.

This:

I can connect succesfully on my local machine (from webpage https://localhost:8080/index.html with a websocket client)

looks suspicious. Browsers should not accept such certificates by default. Does it work from some other browser or from a fresh browser profile?

Or what do you mean by "a websocket client"?

[coderofsalvation]

apoligies, more info below:

• the actual shellscript I wrote: https://forgejo.isvery.ninja/xrsh/xrsh/src/branch/main/xrsh
• demovideo/context: https://xrsh.isvery.ninja/#Remote%20keyboard

shellscript is also testable by entering 'k' at https://xrsh.isvery.ninja/src/index.html