forum.opsi.org

We are testing the free version of Opsi right now with a view to a proper deployment if it ticks most of the boxes.

I've got the opsi-config server running on Debian 12 on our internal network.
I've setup the public DNS to point to our Nginx reverse proxy as per the details here
I can access opsi.example.com:4447 from outside of our network and get the welcome page.
If I try open opsi-configed, it comes up with a certificate error (unable to validate certificate) and asks about trusting the certificate. Clicking on "Always trust" or "Trust once" then states that it can't download the certificate from opsi.example.com:4447/ssl/ca-certs.pem and I can't login.

How can I get around this? Do I need to tweak anything on the reverse proxy?

OPSI uses it's own certificate authority and certificate chain.
All OPSI components (opsi-client-agent, opsi-configed, opsi-depotserver, ...) will only trust the OPSI internal chain.

Have a look at the documentation for details:
https://docs.opsi.org/opsi-docs-en/4.3/ ... s/tls.html

In a setup with reverse proxy, I would recommend our extensions Let’s Encrypt or Custom-CA, see:
https://opsi.org/en/product/extensions

But if you want to tinker a bit, you can also use the certificates from the OPSI server (/etc/opsi/ssl) on the proxy.

So I should copy the cert and key from the opsi config server and place on my reverse proxy instead of the letsencrypt.

How do I find the password for the default CA key it generates?