I recently generated a self-signed cert to use with NGINX via it’s GUI.

  1. Generate cert and key
  2. Upload these via the GUI
  3. Apply to each Proxy Host

Now when I visit my internal sites (eg, jellyfin.home) I get a warning (because this cert is not signed by a trusted CA) but the connection is https.

My question is, does this mean that my connection is fully encrypted from my client (eg my laptop) to my server hosting Jellyfin? I understand that when I go to jellyfin.home, my PiHole resolves this to NGINX, then NGINX completes the connection to the IP:port it has configured and uses the cert it has assigned to this proxy host, but the Jellyfin server itself does not have any certs installed on it.

  • N0x0n
    1·
    5 days ago

    https://we.tl/t-JuecCJUxc0

    This is an extract from Demystifying Cryptography with OpenSSL 3.0 Discover the best techniques to enhance your network security with OpenSSL 3.0 ! It’s really a good read and helped me to make a secure and self-signed certificate environment. In this example though he uses the ED448 algorithm which won’t work on most browser (if any…).

    Last year when I followed this tutorial I also tried with EdDSA with Curve25519 but also here TLS wasn’t working and the certificate just got rejected by Firefox. See here ! It seems resolved though so you can give it a shot :).

    Else just fall down to RSA and longer keys. Why? Just to quote something else from the book:

    NIST curves are developed by NSA and standardized by NIST. Brainpool curves are proposed by the Brainpool workgroup, a group of cryptographers that were dissatisfied with NIST curves because NIST curves were not verifiably randomly generated, so they may have intentionally or accidentally weak security.

    Hope it helps :)