I am trying to setup nginx reverse proxy and I used nginx-util add_ssl myserver to add SSL capabilty.
It dutifully "Created self-signed SSL certificate" as myserver.crt, but that certificate seems to be a copy OpenWrt own certificate as I can see:
Subject: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrtAE6672445A9BB5DA
which is not for "myserver" and "recreating" it from scratch actually produces the same .crt so I suspect it just copies it from somewhere.
What am I missing?
I don't (currently) care for a properly signed certificate as this should just provide end-to-end security between two endpoints; later I will probably need to learn how to interact with ACME, but for now I should "just" need to get the right "Subject:".
In /etc/ssl/ I have standard OpenWrt stuff, nothing more.
Question is: is nginx-util add_ssl supposed to provide a certificate/key with the right Common Name for the site (which is not LuCI)?
Apparently it doesn't and I see no way to force it to comply.
I (should) know how to use openssl to handle certificates, but I tried to use OpenWrt facilities, if possible. I confess I have lots of trouble finding what I need in docs (and to follow instructions after I find the relevant section).
I don't have experience with nginx-util, but bottom line is that you can create the certificate with openssl if it doesn't work for you and you don't need to be limited to OpenWrt only, but you can create it anywhere.
I use xca, which is available for Windows and Linux, as a GUI frontend to OpenSSL certificate functions.
Best security practice is not to have the reverse proxy handling certificates. You don't want the certificate private key stored on a machine that is directly exposed to the Internet. Either the individual servers behind the proxy sign for their own sites, or for large sites a certificate server is used.