local (LAN only) no letsencrypt

Hi,
I’m trying to get cozy installed on my lan,
basically followed the local install tutorial on a fresh debian buster but getting stuck on coclyco.

I do NOT want cozy to be reachable from outside the lan
(nor do I even have that possibility, thank you cgNAT)

I have subdomains set up (*.cozy-deb.lan)
but when running coclyco create it tries to register with letsencrypt and fails for obvious reasons.
Cannot issue for "cozy.cozy-db.lan": Domain name does not end with a valid public suffix

is there a way to run over http (instead of https) ?
or have coclyco issue a self-signed certificate?

thanks!

ps: also one level less in the DNS hierarchy would be appreciated. I now have
home.cozy.cozy-dev… drive.cozy.cozy-deb… etc.

Hello!

I do NOT want cozy to be reachable from outside the lan

Currently this is not a supported mode. You can achieve this if you want, but it’s require a lot of hacks (self-signed certificate, custom CA deployed on devices…) and so we don’t provide support for this kind of setup. Coclyco is no more usable in this mode too, you have to use cozy-stack directly.

is there a way to run over http (instead of https) ?

No. For security reason this mode is forbidden, Cozy requires secured cookies which are only available on HTTPS.

also one level less in the DNS hierarchy would be appreciated. I now have
home.cozy.cozy-dev… drive.cozy.cozy-deb… etc.

This only depends of your setup. You could ask for creation direcly under cozy-dev.lan and so you got drive.cozy-dev.lan and so on. But this way you are limited to a single Cozy instance, which is definitively not the way Cozy is designed to work (1 instance per people).

Hi, and thanks for the reply.
well turns out the certificates was actually the easy one. (just generate them with openssl and import the pem as CA into chrome)

but I’ve run into more trouble with the konnectors/nsjail. or they don’t run in a container, or something else is wrong (i even hacked out nsjail and ran nodejs directly) but I spent more time than i wanted on just getting cozy up and running locally.

so i now have an instance on AWS. could you tell me how i get a konnector installed so i can run it with a UI? (see also my other question on this forum).

thanks for your help.

With a custom CA, node/konnectors/nsjail are broken and there is no easy fix to get them working, because node hardcode CA and don’t use system one.
https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file
This is not a mode we support out of the box.

Running konnectors inside containers is difficult too.
nsjail isolation technology also use namespaces, and so you are in a “container-in-the-container” environment. The host need to set kernel.unprivileged_userns_clone=1 kernel parameter to allow this.

Hi Aeris,
yes thanks - i’ve given up on running a “fully local” cozy.
So I know have a cozy running on AWS.

I’m really struggling to get any data into my cozy…
my next problem is that I can’t get a konnector loaded into it.

Is there a way to have a local “registry” (i’m okay with uploading code to a specific location on the server). I also have an account on cozy.io but I guess that’s even harder to do anything with.

thanks again.