- Notifications
You must be signed in to change notification settings - Fork3.2k
feat: add support for selecting SSL key type (ECDSA/RSA)#4218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:develop
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Added the ability to specify the SSL key type (ECDSA or RSA) for each site in the Nginx Proxy Manager. This enhancement is particularly useful for environments with IoT devices that have limitations with specific key types, such as RSA-only support. The implementation includes:- Backend support for storing and validating the `ssl_key_type` field.- Swagger schema updated to validate the new input.- Frontend update to allow users to select the SSL key type via a dropdown menu.This feature ensures greater flexibility and compatibility in managing SSL certificates for diverse setups.
This reverts commit95a94a4.
fix ci test error
it's work truly :) |
this cipher suites need for old iot devices
Great work. Do you happen to have any automated commands that might test the feature? ie:
|
Thanks. Yes I think could be test with nmap but I work on Diffie-Hellman cipher support and another problem that we had for IOT devices. after that I add some automated test for this. Please hold on while I complete these. |
This pull request introduces features specifically designed to address common challenges with Embedded and IoT devices. The following updates have been made:
related issues |
the result supported ciphers |
mnr73 commentedDec 23, 2024 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
with this command we can see what is the SSL key type. rsa or ecdsa
or can use this command with openssl
|
Nice. I'll look at adding this in the next release, after the one I'm about to do today. |
Uh oh!
There was an error while loading.Please reload this page.
| @@ -0,0 +1,13 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This can be achieved using the S6 init scripts instead of adding another layer of initialization. However this might not be required here at all...
Can this file/etc/ssl/certs/dhparam.pem be generated at build time instead of run time?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
if generate this file in build time. it's be same for all user that use this and i think this is a security problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
ok maybe, but why would it be different for all users when they are all using the same docker image?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
The DH parameter file is used for secure key exchange, and having the same file for all users can compromise security. It’s recommended to generate a unique file per instance to ensure the security of each user’s connection.
Uh oh!
There was an error while loading.Please reload this page.
| /** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
The default server thing doesn't work. Here's some thoughts:
- The file
./backend/templates/default.confsets the default site already, so turning it on for any host always causes an error and makes it "Offline" even when passing yourcheckDefaultServerNotExisttest below - The UI for this feature probably requires more review; having a switch on every host form isn't a great experience especially when trying to find out which host has it on already, as the error message doesn't tell you. I think the best place is to amend the existing Default Site setting form to allow selecting from one of the existing hosts as the default.
- Remove it from this PR; if you still want to do it, create a new PR and keep this one focussed on the SSL certificate type
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
The problem is that when I try to connect to the server with an IoT device, the connection fails. After some research, I found this command:
openssl s_client -connect :443
However, this command returns no response.
When I add a default server to one of the Nginx host configurations, everything works correctly. The above command returns a response, and the IoT device can connect to all the hosts configured in Nginx Proxy Manager.
so i add this feature and its work without any problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Right. Well it was implemented by another contributor a long time ago, that the default HTTPS host returns a bad cipher/ssl cert or something like that. There was a very good reason for that at the time.
The default-site config doesn't apply to HTTPS though, since any certificate assigned to that would always be invalid for a catch-all domain.
Is there no other way you can fetch the ciphers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I understand that the certificate for a default server would always be invalid. However, I haven't found any other solution. Even when I manually configured Nginx (before switching to Nginx Proxy Manager), I spent a week troubleshooting this issue. Without setting a default server in one of the configurations, IoT devices simply cannot connect.
I believe this issue might be related to how SNI is handled.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
I think there is a problem in auto test. i test in local every thing was Ok. also revert all commit but it fail again. |
Docker Image for build 22 is available on Note: ensure you backup your NPM instance before testing this image! Especially if there are database changes |
localhost14 commentedApr 24, 2025
When will this be implemented? |
Lure5134 commentedMay 26, 2025
@jc21 Is there anything we can do for this pr so it gets merged? |
grzywek commentedJun 2, 2025
@mnr73 hello, I tested I believe to maintain consistency, option to select SSL Key Type should be also visible while creating certificate from the Certificates tab:
Maybe we should include the key type in the table to have a clear distinction:
and also here:
Thanks - that PR already helped me much 😊 |
Uh oh!
There was an error while loading.Please reload this page.
Added the ability to specify the SSL key type (ECDSA or RSA) for each site in the Nginx Proxy Manager. This enhancement is particularly useful for environments with IoT devices that have limitations with specific key types, such as RSA-only support. The implementation includes:
ssl_key_typefield.This feature ensures greater flexibility and compatibility in managing SSL certificates for diverse setups.
#3354