I had a user contact me stating that they got the following message pop up on their computer:
For context, we have seafile deployed (raw, as in not through Docker), with an expired SSL certificate. However, it is accessed through an Nginx proxy, that keeps renewing its certificate with Lets Encrypt every 3 months.
I want to figure out what our actual certificate should show up as in the APP, but have the following questions:
Is there a way to get the app to show what it thinks the fingerprint is? It would be great if I could just get the fingerprint from my client, and check it against what that message says is the current one.
If there isn’t a way, can I somehow determine what the fingerprint should be? Judging by the length of the fingerprints, it looks like they are MD5 hases which I generated with:
openssl x509 \ -noout \ -fingerprint \ -md5 \ -inform pem \ -in /path/tp/cert.pem
I did try with sha1 and sha256 but they both produced fingerprints that were noticeably longer than what showed in the popup.
If that is the right command, it leads onto my next question, which is should I be performing that on the “fullchain.pem” file that one would get (which contains both the site certificate and the CA), or just the site certificate? Likewise, I take it that it is only using the certificates from the Nginx proxy server, and not the underlying backend Seafile server?
Unfortunately, since it appears to be an MD5, it looks like I can’t use the fingerprints I get back from looking at them in my browser like below: