Skip to content

SSL

In the default configuration myMPD encrypts traffic on port 443, set /var/lib/mympd/config/ssl to false to disable encryption. If ssl is enabled, myMPD redirects port 80 to 443. If you want to install myMPD as an app in chrome you need ssl.

Default certificate

Certificates are checked at startup and if necessary created or renewed. myMPD maintains a CA certificate and a server certificate signed with this ca.

  • Lifetime of the CA certificate: approximately 10 years
  • Lifetime of the server certificate: 1 year

The validity of the server certificate is so short because browsers no longer trust certificates with long durations, even if they are self-signed. On startup myMPD checks the expiration date of the certificate and renews it if necessary.

The default certificates are saved in the directory /var/lib/mympd/ssl/.

FILE DESCRIPTION
ca.pem Self signed CA certificate
ca.key CA private key
server.pem Server certificate
server.key Server private key

The server certificate SAN is:

  • DNS: localhost
  • DNS: ip6-localhost
  • DNS: ip6-loopback
  • IP: 127.0.0.1
  • IP: ::1
  • DNS:<hostname>
  • DNS:<full qualified hostname>
  • IP:<ip of resolved hostname>
  • IP:all interface ips

You can set the environment variable MYMPD_SSL_SAN before starting myMPD to add additional names or ip addresses to the certificate, e.g. export MYMPD_SSL_SAN="DNS:jukebox.local".

To regenerate the server certificate stop myMPD, and remove the /var/lib/mympd/ssl/server.crt and /var/lib/mympd/ssl/server.key files.

Default CA

You can download the CA certificate in the About dialog and import it in your operatingsystem or browser to avoid ugly ssl warnings and trust this ca. Do not import the server certificate.

Custom certificate

You can of course use your own certificate, e.g. from Let's Encrypt.

FILE CONTENT
ssl true
custom_cert true
ssl_key path to custom ssl key
ssl_cert path to custom ssl certificate