Internal TLS: pin to a pre-generated self-signed cert
The previous attempt at supporting raw IPs in the Caddy site block relied on Caddy's auto-TLS issuing internal-CA certs for IPs, which is finicky and was still producing ERR_SSL_PROTOCOL_ERROR in the field. Switch to a deterministic pattern: at install time, generate a self-signed cert with SAN entries covering PIP_DOMAIN, every host IPv4, localhost, and 127.0.0.1. The Caddyfile binds :443 to that cert explicitly, so any address the operator hits gets a usable TLS handshake. Browsers still warn on the self-signed cert (the expected click-through) instead of refusing the connection at the protocol layer. Also add a :80 redirect block in internal mode so plain http:// URLs land on https:// automatically.
| Repository | cpatpa/PIP |
|---|---|
| Author | Claude <noreply@anthropic.com> |
| Authored | |
| Parents | 2c726b5f |
| Stats | 1 file changed , +59 , -19 |
| Part of | Bare-metal installer + operator tooling |
Capture this commit into my fork
Download a Markdown prompt that tells Claude how to port this
exact commit into your working tree. Run it via
claude -p < capture-commit-56e15d04.md
from inside the repo you want the change in.