From e6fc0aec2acb07a0510bc23932a314929a101586 Mon Sep 17 00:00:00 2001
From: SDGDen <sdgden@sdgcloud.nl>
Date: Mon, 9 Mar 2026 14:12:31 +0100
Subject: [PATCH] updated some post-install task writing, re-worked gencerts.sh
 entirely to use openSSL configuration files and V3 extensions for the certs.

---
 deploy.sh                  |  21 +++++--
 gencerts.sh                | 114 ++++++++++++++++++++++++++++++-------
 stacks/browser/compose.yml |   3 +-
 3 files changed, 110 insertions(+), 28 deletions(-)

diff --git a/deploy.sh b/deploy.sh
index 64a27d4..394c265 100644
--- a/deploy.sh
+++ b/deploy.sh
@@ -1058,6 +1058,8 @@ TP-LINK ROUTERS:
 use $publicip if you are forwarding port 53, or $localip if not.
 if you use $localip, the device will not have DNS outside of your local network.
 
+based on your configuration, you should probably use $dns_ip
+
 you only need to do this for devices that have a static ip address, devices that get their ip assigned via DHCP (which is default for most devices, especially wireless ones) get their DNS address from the router.
 
 WINDOWS:
@@ -1065,7 +1067,7 @@ WINDOWS:
 1. Open Network Settings (Win+I > Network & Internet)
 2. Select your connection (Wi-Fi/Ethernet)
 3. Click "Hardware properties" > "Edit" next to DNS
-4. Set manual DNS to $localip or $publicip
+4. Set manual DNS to $dns_ip
 5. Save changes
 
 MACOS:
@@ -1073,7 +1075,7 @@ MACOS:
 1. Open System Preferences > Network
 2. Select your connection
 3. Click "Advanced" > DNS tab
-4. Add $localip or $publicip to DNS servers
+4. Add $dns_ip to DNS servers
 5. Click "OK" > "Apply"
 
 LINUX (NETWORK MANAGER):
@@ -1082,7 +1084,7 @@ LINUX (NETWORK MANAGER):
    nm-connection-editor
 2. Select your connection
 3. Go to IPv4/IPv6 settings
-4. Set DNS to $localip or $publicip
+4. Set DNS to $dns_ip
 5. Save and restart connection
 
 ANDROID:
@@ -1091,14 +1093,14 @@ ANDROID:
 2. Long-press your network > Modify network
 3. Enable "Advanced options"
 4. Set IP to static
-5. Enter DNS as $localip or $publicip
+5. Enter DNS as $dns_ip
 
 IOS:
 ----
 1. Open Wi-Fi settings
 2. Tap (i) next to your network
 3. Configure DNS > Manual
-4. Add $localip or $publicip
+4. Add $dns_ip
 5. Save changes
 
 EOF
@@ -1219,6 +1221,15 @@ for the certificate key, use the wildcard.key file
 for the certificate, use the wildcard.crt file
 for the intermediate certificate, use the intermediate.crt file
 
+after this, go to the Hosts > proxy hosts tab and go through each of the hosts
+
+repeat for each host: 
+>go to the SSL tab
+>select your certificate
+>enable force SSL
+in the case of owncloud you may also want to enable HTTP/2 
+then hit save.
+
 
 because this certificate is not backed by a public certificate authority like letsencrypt, you have to manually trust the root cert on each device you want to use the cloud on, or deal with "certificate untrusted" warnings.
 
diff --git a/gencerts.sh b/gencerts.sh
index d01e963..b0472b3 100644
--- a/gencerts.sh
+++ b/gencerts.sh
@@ -1,64 +1,134 @@
 #!/bin/bash
-
-# Script to generate self-signed certificates for Nginx Proxy Manager
+# Script to generate modern self-signed certificates for Nginx Proxy Manager with OpenSSL v3 extensions
 
 # Prompt for domain
 read -p "Enter the domain for the certificates (e.g., example.com): " DOMAIN
-
 if [ -z "$DOMAIN" ]; then
     echo "Error: Domain not provided."
     exit 1
 fi
 
 CERTS_DIR="/opt/files/certs/"
-
-# Create certs directory if it doesn't exist
 mkdir -p "$CERTS_DIR"
 
+# Create OpenSSL configuration files
+cat > "$CERTS_DIR/openssl_root_ca.cnf" <<EOF
+[ req ]
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+prompt              = no
+string_mask         = utf8only
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+CN = $DOMAIN Root CA
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, keyCertSign, cRLSign
+EOF
+
+cat > "$CERTS_DIR/openssl_intermediate_ca.cnf" <<EOF
+[ req ]
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+prompt              = no
+string_mask         = utf8only
+
+[ req_distinguished_name ]
+CN = $DOMAIN Intermediate CA
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, keyCertSign, cRLSign
+EOF
+
+cat > "$CERTS_DIR/openssl_wildcard.cnf" <<EOF
+[ req ]
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+prompt              = no
+string_mask         = utf8only
+req_extensions      = v3_req
+
+[ req_distinguished_name ]
+CN = *.$DOMAIN
+
+[ v3_req ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = $DOMAIN
+DNS.2 = *.$DOMAIN
+EOF
+
 # Function to generate root CA
 generate_root_ca() {
     echo "Generating Root CA..."
     openssl genrsa -out "$CERTS_DIR/rootCA.key" 4096
-    openssl req -x509 -new -nodes -key "$CERTS_DIR/rootCA.key" -sha256 -days 3650 -out "$CERTS_DIR/rootCA.crt" -subj "/CN=$DOMAIN Root CA"
+    openssl req -x509 -new -nodes -key "$CERTS_DIR/rootCA.key" \
+        -sha256 -days 3650 -out "$CERTS_DIR/rootCA.crt" \
+        -config "$CERTS_DIR/openssl_root_ca.cnf" -extensions v3_ca
 }
 
 # Function to generate intermediate CA
 generate_intermediate_ca() {
     echo "Generating Intermediate CA..."
     openssl genrsa -out "$CERTS_DIR/intermediateCA.key" 4096
-    openssl req -new -key "$CERTS_DIR/intermediateCA.key" -out "$CERTS_DIR/intermediateCA.csr" -subj "/CN=$DOMAIN Intermediate CA"
-    openssl x509 -req -in "$CERTS_DIR/intermediateCA.csr" -CA "$CERTS_DIR/rootCA.crt" -CAkey "$CERTS_DIR/rootCA.key" -CAcreateserial -out "$CERTS_DIR/intermediateCA.crt" -days 3650 -sha256
+    openssl req -new -key "$CERTS_DIR/intermediateCA.key" \
+        -out "$CERTS_DIR/intermediateCA.csr" \
+        -config "$CERTS_DIR/openssl_intermediate_ca.cnf"
+    openssl x509 -req -in "$CERTS_DIR/intermediateCA.csr" \
+        -CA "$CERTS_DIR/rootCA.crt" -CAkey "$CERTS_DIR/rootCA.key" \
+        -CAcreateserial -out "$CERTS_DIR/intermediateCA.crt" \
+        -days 3650 -sha256 -extfile "$CERTS_DIR/openssl_intermediate_ca.cnf" \
+        -extensions v3_ca
 }
 
 # Function to generate wildcard certificate
 generate_wildcard_cert() {
     echo "Generating Wildcard Certificate..."
     openssl genrsa -out "$CERTS_DIR/wildcard.key" 4096
-    openssl req -new -key "$CERTS_DIR/wildcard.key" -out "$CERTS_DIR/wildcard.csr" -subj "/CN=*.$DOMAIN" -addext "subjectAltName = DNS:$DOMAIN,DNS:*.$DOMAIN"
-    openssl x509 -req -in "$CERTS_DIR/wildcard.csr" -CA "$CERTS_DIR/intermediateCA.crt" -CAkey "$CERTS_DIR/intermediateCA.key" -CAcreateserial -out "$CERTS_DIR/wildcard.crt" -days 3650 -sha256
+    openssl req -new -key "$CERTS_DIR/wildcard.key" \
+        -out "$CERTS_DIR/wildcard.csr" \
+        -config "$CERTS_DIR/openssl_wildcard.cnf"
+    openssl x509 -req -in "$CERTS_DIR/wildcard.csr" \
+        -CA "$CERTS_DIR/intermediateCA.crt" -CAkey "$CERTS_DIR/intermediateCA.key" \
+        -CAcreateserial -out "$CERTS_DIR/wildcard.crt" \
+        -days 3650 -sha256 -extfile "$CERTS_DIR/openssl_wildcard.cnf" \
+        -extensions v3_req
 }
 
 # Function to export certificates for cross-platform compatibility
 export_certs() {
     echo "Exporting certificates for cross-platform compatibility..."
-
     # Export root CA to .pfx (Windows)
-    openssl pkcs12 -export -out "$CERTS_DIR/rootCA.pfx" -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
-
+    openssl pkcs12 -export -out "$CERTS_DIR/rootCA.pfx" \
+        -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
     # Export intermediate CA to .pfx (Windows)
-    openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.pfx" -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
-
+    openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.pfx" \
+        -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
     # Export wildcard cert to .pfx (Windows)
-    openssl pkcs12 -export -out "$CERTS_DIR/wildcard.pfx" -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
-
+    openssl pkcs12 -export -out "$CERTS_DIR/wildcard.pfx" \
+        -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
     # Export root CA to .p12 (Cross-platform)
-    openssl pkcs12 -export -out "$CERTS_DIR/rootCA.p12" -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
-
+    openssl pkcs12 -export -out "$CERTS_DIR/rootCA.p12" \
+        -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
     # Export intermediate CA to .p12 (Cross-platform)
-    openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.p12" -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
-
+    openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.p12" \
+        -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
     # Export wildcard cert to .p12 (Cross-platform)
-    openssl pkcs12 -export -out "$CERTS_DIR/wildcard.p12" -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
+    openssl pkcs12 -export -out "$CERTS_DIR/wildcard.p12" \
+        -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
 }
 
 # Main script execution
diff --git a/stacks/browser/compose.yml b/stacks/browser/compose.yml
index 137788d..6b18e58 100644
--- a/stacks/browser/compose.yml
+++ b/stacks/browser/compose.yml
@@ -9,7 +9,8 @@ services:
     volumes:
       - /opt/stacks:/srv/stacks
       - /opt/stacks/jellyfin/media:/srv/media
-      - /opt/stacks/setup:/srv/setup
+      - /opt/stacks/setup/npmcertlist.txt:/srv/npm_cert_list.txt
+      - /opt/files:/srv/files
       - ./filebrowser.db:/database.db
     restart: unless-stopped
 networks: