signalk-ssl 0.5.0 → 0.7.0

package/README.md

@@ -2,7 +2,16 @@
 
 SSL/TLS certificate management for [SignalK Node Server](https://signalk.org/).
 
-Generates a local Certificate Authority, signs server certificates for your boat's hostnames and IP addresses, and provides a QR code so phones and tablets can install the CA root without SSH.
+`signalk-ssl` turns HTTPS on your SignalK server from an SSH-and-`openssl` chore into a two-minute, point-and-click task — it runs a local Certificate Authority, issues and auto-renews trusted server certificates, and hands you a QR code to install the CA root on every phone and tablet aboard. Built to slot seamlessly into the [SignalK Universal Installer](https://github.com/dirkwa/signalk-universal-installer) stack, it also runs perfectly standalone on any vanilla SignalK Node Server.
+
+## Features
+
+- **Local CA + trusted certs, zero terminal** — generates an EC Certificate Authority and signs HTTPS certificates for your boat's hostname and IPs, so browsers show a green padlock instead of a scary warning.
+- **One-scan device trust** — a built-in QR code installs the CA root on iOS (`.mobileconfig`) and Android / desktop (`.crt`); no SSH, no file copying, no per-device fiddling.
+- **Set-and-forget renewal** — certificates auto-renew before expiry and re-issue automatically when your SANs change, with a 24-hour clock-skew backdate so an offline boat's lagging phone clock never breaks trust.
+- **Smart, server-aware defaults** — pre-fills the SAN fields with the exact `.local` hostname your server broadcasts on mDNS plus its private-LAN IPs, so the cert covers both name and IP out of the box, and shows live certificate health (name + days remaining) right in the admin status line.
+- **Encrypted at rest, your choice of key** — the CA private key is always stored as encrypted PKCS#8, with `convenience` (no typing), `env` (environment variable), or `webapp` (prompt-based) passphrase modes.
+- **Runs anywhere SignalK runs** — pure-JS, no native modules; works identically on bare-metal, systemd, and Docker / Podman installs, and is tuned for drop-in use with the SignalK Universal Installer.
 
 ## Why
 
@@ -10,7 +19,7 @@ Generates a local Certificate Authority, signs server certificates for your boat
 - Self-signed certs without a CA make every browser scream.
 - Doing it by hand means SSH, `openssl`, and `update-ca-certificates` per device — for non-technical boaters that's not happening.
 
-`signalk-ssl` collapses the whole flow into "open plugin → configure SANs → scan QR on each phone".
+`signalk-ssl` collapses the whole flow into "open plugin → save the pre-filled SANs → scan QR on each phone".
 
 ## Prerequisites
 
@@ -25,13 +34,12 @@ The Appstore installs plugins with `npm install --ignore-scripts`, so this packa
 
 ## Configure
 
-1. Enable the plugin in the SignalK admin UI.
-2. Open the plugin configuration screen and fill in:
-   - **SANs** — at least one DNS name (e.g. `signalk.local`, `boat.local`) and/or the boat's LAN IP. The webapp shows the discovered IPv4 addresses.
+1. Open the plugin configuration screen. The **SANs** fields come **pre-filled**: the `.local` hostname your server broadcasts on mDNS and the host's private-LAN IPv4 addresses are suggested as defaults, so most boats can leave them as-is. (They're suggestions — clear any you don't want, e.g. a VPN-overlay IP, before saving.)
+2. Review the rest:
    - **Passphrase mode** — `convenience` is the default and just works.
-   - Defaults for CA validity (10 years), leaf validity (397 days), renewal threshold (30 days), clock-skew backdate (24 hours) are fine for most boats.
-3. Save the config. The plugin generates the CA, signs a leaf certificate, and writes both to SignalK's TLS path (`ssl-cert.pem`, `ssl-key.pem`, `ssl-chain.pem` in the configured config directory).
-4. Open the plugin webapp at `/plugins/signalk-ssl/`.
+   - Defaults for CA validity (3650 days ≈ 10 years), leaf validity (397 days), renewal threshold (30 days), clock-skew backdate (24 hours) are fine for most boats.
+3. Save the config to enable the plugin. It generates the CA, signs a leaf certificate covering your SANs, and writes the cert to SignalK's TLS path (`ssl-cert.pem`, `ssl-key.pem`, `ssl-chain.pem` in the configured config directory). The admin status line then shows the cert name and days remaining.
+4. Open the plugin webapp from the admin **Webapps** tile (or at `/signalk-ssl/`).
 5. Restart SignalK so the new certificate is picked up by the HTTPS listener. (The webapp shows a banner reminding you.)
 
 ## Distribute the CA to phones
@@ -76,22 +84,22 @@ or `webapp` mode first.
 
 ## Routes
 
-- `GET /plugins/signalk-ssl/` — webapp (admin auth required)
+- `GET /signalk-ssl/` — webapp static files (served by signalk-server at the module name, admin auth required)
 - `GET /plugins/signalk-ssl/status` — JSON status (admin auth required)
 - `POST /plugins/signalk-ssl/renew` — issue / renew leaf (admin auth required)
 - `POST /plugins/signalk-ssl/unlock` — supply passphrase (webapp mode, admin auth required)
 - `POST /plugins/signalk-ssl/lock` — drop in-memory passphrase
 - `POST /plugins/signalk-ssl/rotate` — re-encrypt the CA key under a new passphrase (admin auth required)
-- `GET /signalk/v1/api/ssl/ca.crt` — **public** download of CA cert (PEM)
-- `GET /signalk/v1/api/ssl/ca.mobileconfig` — **public** download of Apple profile
+- `GET /signalk-ssl/ca.crt` — **public** download of CA cert (PEM)
+- `GET /signalk-ssl/ca.mobileconfig` — **public** download of Apple profile
 
-The two `/ssl/` paths are intentionally unauthenticated so phones without SignalK accounts can fetch the CA via the QR-coded URL. (`PUT`/`POST` on `/signalk/v1/api/*` is auto-protected by the server, so we can't accidentally expose a destructive endpoint here.)
+The two `ca.*` downloads are intentionally unauthenticated so phones without SignalK accounts can fetch the CA via the QR-coded URL. They are mounted on the raw Express app under the `/signalk-ssl/` prefix (where the webapp static files live), which sits behind only signalk-server's permissive root middleware. This matters: the obvious home for them — `/signalk/v1/api/ssl/*` — is fronted by middleware that returns **401** to any tokenless request when `allow_readonly` is disabled, which would break the QR flow on a hardened server. The `/signalk-ssl/` prefix stays reachable without a login regardless of the security config, and only `GET`s are exposed there.
 
 ## Container (Podman / Docker) notes
 
 - The plugin uses `app.getDataDirPath()`, which means the per-plugin data lives under SignalK's data volume — survives container rebuilds.
 - Certs land at `${app.config.configPath}/ssl-{cert,key,chain}.pem`, again on the data volume.
-- mDNS `.local` resolution does **not** work through Podman's default bridge network. Either run with `--network=host` or use IP-based SANs and DNS on your router. The webapp can show the LAN IP URL as a fallback when it detects this case.
+- mDNS `.local` resolution does **not** work through Podman's default bridge network. Either run with `--network=host` or reach the server by IP — the plugin pre-fills the host's private-LAN IPs as SANs, so the issued cert already covers the IP URL. (On a bridge network the auto-detected hostname may be the random container ID, in which case the hostname suggestion is suppressed and you rely on the IP SANs.)
 - For outbound trust **inside** the container (so the SignalK Node process trusts its own CA when calling itself or another boat service), set `NODE_EXTRA_CA_CERTS=/path/to/ca.crt` in the container env. Node reads this before plugins load, so the plugin can't set it on itself — the value must be in your Quadlet/Compose/run script.
 
 ## Troubleshooting
@@ -100,7 +108,7 @@ The two `/ssl/` paths are intentionally unauthenticated so phones without Signal
 
 Three usual causes:
 
-1. The leaf cert doesn't list the hostname in the SAN. Check the SANs in the plugin config; re-issue if you added one after the fact.
+1. The leaf cert doesn't list the name you browsed to in its SAN — e.g. you opened the server by IP but only the `.local` hostname is in the SANs (or vice versa). The cert must contain whatever you type in the address bar. Add the missing name/IP to the SANs in the plugin config and re-issue (**Renew now**).
 2. The phone's clock is more than 24 hours behind. This plugin backdates `notBefore` by 24h to soften this; if it's still too far off, fix NTP on the boat.
 3. The CA root isn't installed (or full trust isn't enabled in Settings → General → About → Certificate Trust Settings).
 

package/dist/plugin/api.d.ts

@@ -1,5 +1,5 @@
-import type { IRouter } from 'express';
-import type { SslService } from './service.js';
+import type { IRouter, RequestHandler } from 'express';
+import type { SslService, ServiceStatus } from './service.js';
 import type { SignalkSslConfig } from './schema.js';
 import type { PassphraseSource } from './passphrase-source.js';
 import type { CertStore } from './storage.js';
@@ -13,8 +13,34 @@ export interface AdminApiDeps extends ApiDeps {
     /** Returns the raw hostname signalk-server uses for mDNS advertisement,
      * or '' if unavailable. See ExtendedServerAPI in src/plugin/index.ts. */
     readonly getRawHostname: () => string;
+    /** Called with each fresh status the admin routes compute, so the plugin can
+     * keep its synchronous statusMessage() cache current (the webapp polls
+     * /status, and /renew recomputes it). Optional. */
+    readonly onStatus?: (status: ServiceStatus) => void;
 }
 /** Mounted by the server at /plugins/signalk-ssl/* — admin auth applied. */
 export declare const registerAdminRoutes: (router: IRouter, deps: AdminApiDeps) => void;
 /** Mounted by the server at /signalk/v1/api/* via signalKApiRoutes — read-only public. */
 export declare const buildPublicRoutes: (router: IRouter, deps: ApiDeps) => IRouter;
+/**
+ * Mount the public CA download on the raw Express app at /signalk-ssl/ca.*.
+ *
+ * The /signalk/v1/api/ssl/* surface (buildPublicRoutes) is fronted by
+ * signalk-server's `http_authorize` middleware, which hard-401s any tokenless
+ * request when `allow_readonly` is disabled — so a phone scanning the QR with
+ * no SignalK account gets "Unauthorized". The /signalk-ssl/ prefix (where the
+ * webapp static files live) is only under the permissive root middleware, so it
+ * stays reachable without auth even on hardened servers. We mount the CA files
+ * there so the QR-code flow works regardless of the security config.
+ */
+export interface RawRouteMounter {
+    get: (path: string, handler: RequestHandler) => unknown;
+}
+/**
+ * These routes are mounted once per process on the raw Express app (Express
+ * keeps handlers across plugin restarts). So the handlers must not close over a
+ * captured `deps`: a config save/restart swaps the plugin's config and store for
+ * fresh objects, and a stale closure would keep serving the old CA metadata.
+ * Take a `getDeps` accessor instead and resolve it per request.
+ */
+export declare const registerPublicCaRoutes: (app: RawRouteMounter, getDeps: () => ApiDeps) => void;

package/dist/plugin/api.js

@@ -12,6 +12,7 @@ const asyncRoute = (fn) => (req, res, next) => {
 export const registerAdminRoutes = (router, deps) => {
     router.get('/status', asyncRoute(async (_req, res) => {
         const s = await deps.service.status();
+        deps.onStatus?.(s);
         sendJson(res, 200, s);
     }));
     router.get('/api/local-ips', (_req, res) => {
@@ -22,6 +23,9 @@ export const registerAdminRoutes = (router, deps) => {
     });
     router.post('/renew', asyncRoute(async (_req, res) => {
         const out = await deps.service.issueIfNeeded();
+        if (deps.onStatus) {
+            deps.onStatus(await deps.service.status());
+        }
         sendJson(res, 200, out);
     }));
     router.post('/unlock', asyncRoute(async (req, res) => {
@@ -62,27 +66,41 @@ export const registerAdminRoutes = (router, deps) => {
         sendJson(res, status, out);
     }));
 };
+// Shared handlers for the public CA download, used by both route surfaces below.
+const sendCaCrt = (deps) => asyncRoute(async (_req, res) => {
+    const ca = await deps.store.readCaState();
+    if (ca === null) {
+        sendJson(res, 404, { error: 'no CA configured' });
+        return;
+    }
+    res.type('application/x-x509-ca-cert').send(ca.certificatePem);
+});
+const sendCaMobileconfig = (deps) => asyncRoute(async (_req, res) => {
+    const ca = await deps.store.readCaState();
+    if (ca === null) {
+        sendJson(res, 404, { error: 'no CA configured' });
+        return;
+    }
+    const xml = buildMobileconfig(ca.certificatePem, {
+        caName: deps.config.commonName,
+        organization: deps.config.organization
+    });
+    res.type('application/x-apple-aspen-config').send(xml);
+});
 /** Mounted by the server at /signalk/v1/api/* via signalKApiRoutes — read-only public. */
 export const buildPublicRoutes = (router, deps) => {
-    router.get('/ssl/ca.crt', asyncRoute(async (_req, res) => {
-        const ca = await deps.store.readCaState();
-        if (ca === null) {
-            sendJson(res, 404, { error: 'no CA configured' });
-            return;
-        }
-        res.type('application/x-x509-ca-cert').send(ca.certificatePem);
-    }));
-    router.get('/ssl/ca.mobileconfig', asyncRoute(async (_req, res) => {
-        const ca = await deps.store.readCaState();
-        if (ca === null) {
-            sendJson(res, 404, { error: 'no CA configured' });
-            return;
-        }
-        const xml = buildMobileconfig(ca.certificatePem, {
-            caName: deps.config.commonName,
-            organization: deps.config.organization
-        });
-        res.type('application/x-apple-aspen-config').send(xml);
-    }));
+    router.get('/ssl/ca.crt', sendCaCrt(deps));
+    router.get('/ssl/ca.mobileconfig', sendCaMobileconfig(deps));
     return router;
 };
+/**
+ * These routes are mounted once per process on the raw Express app (Express
+ * keeps handlers across plugin restarts). So the handlers must not close over a
+ * captured `deps`: a config save/restart swaps the plugin's config and store for
+ * fresh objects, and a stale closure would keep serving the old CA metadata.
+ * Take a `getDeps` accessor instead and resolve it per request.
+ */
+export const registerPublicCaRoutes = (app, getDeps) => {
+    app.get('/signalk-ssl/ca.crt', (req, res, next) => sendCaCrt(getDeps())(req, res, next));
+    app.get('/signalk-ssl/ca.mobileconfig', (req, res, next) => sendCaMobileconfig(getDeps())(req, res, next));
+};

package/dist/plugin/index.d.ts

@@ -1,4 +1,13 @@
 import 'reflect-metadata';
 import type { PluginConstructor } from '@signalk/server-api';
+import { type ServiceStatus } from './service.js';
+/**
+ * One-line status for the admin plugin list. statusMessage() must be
+ * synchronous, so this formats a cached {@link ServiceStatus} snapshot rather
+ * than reading the cert state from disk. Describes issuance state — not config —
+ * so an operator can tell "issued and healthy" from "no cert yet" or "error" at
+ * a glance. `null` snapshot means startup hasn't produced one yet.
+ */
+export declare const formatStatusMessage: (status: ServiceStatus | null) => string;
 declare const pluginConstructor: PluginConstructor;
 export default pluginConstructor;

package/dist/plugin/index.js

@@ -5,95 +5,112 @@
 import 'reflect-metadata';
 import { CertStore } from './storage.js';
 import { PassphraseSource } from './passphrase-source.js';
-import { SslService, discoverAdvertisedHostname } from './service.js';
+import { SslService, discoverAdvertisedHostname, discoverPrivateLanIps } from './service.js';
 import { startRenewalScheduler } from './scheduler.js';
-import { buildPublicRoutes, registerAdminRoutes } from './api.js';
-import { ConfigSchema, DEFAULT_CONFIG } from './schema.js';
+import { buildPublicRoutes, registerAdminRoutes, registerPublicCaRoutes } from './api.js';
+import { buildConfigSchema, DEFAULT_CONFIG } from './schema.js';
 const PLUGIN_ID = 'signalk-ssl';
 const PLUGIN_NAME = 'SignalK SSL';
 const PLUGIN_DESCRIPTION = 'Generate a local CA and issue trusted HTTPS certificates for your SignalK server.';
+// Raw Express routes accumulate across plugin restarts; mount the public CA
+// download only once per process.
+let publicCaMounted = false;
 const resolveConfig = (raw) => {
     return { ...DEFAULT_CONFIG, ...raw };
 };
 const resolveConfigPath = (app, fallback) => {
     return app.config?.configPath ?? fallback;
 };
-const sansAreEmpty = (config) => config.sans.dnsNames.length === 0 && config.sans.ipAddresses.length === 0;
 /**
- * One-shot seed: on first run with an empty SAN list, pre-populate dnsNames
- * with the name the server advertises on mDNS so the user sees a sensible,
- * server-specific default in the plugin config screen instead of a blank field.
- *
- * Guarded by a persistent marker so it runs at most once per install: a user
- * who deletes the seeded name will not see it re-added on the next restart
- * (the SAN-provenance rule from AGENTS.md). Returns true when it triggered a
- * restart, in which case the caller must stop — the plugin is being restarted
- * with the new config.
+ * One-line status for the admin plugin list. statusMessage() must be
+ * synchronous, so this formats a cached {@link ServiceStatus} snapshot rather
+ * than reading the cert state from disk. Describes issuance state — not config —
+ * so an operator can tell "issued and healthy" from "no cert yet" or "error" at
+ * a glance. `null` snapshot means startup hasn't produced one yet.
  */
-const maybeSeedHostname = async (store, config, rawHostname, restart, log) => {
-    if (!sansAreEmpty(config) || (await store.hasSeededHostname())) {
-        return false;
+export const formatStatusMessage = (status) => {
+    if (status === null) {
+        return 'starting';
     }
-    const hostname = discoverAdvertisedHostname(rawHostname);
-    if (hostname === null) {
-        // No useful suggestion (container ID, localhost, etc.). Don't write the
-        // marker — if the host gets a real name later, we still want to seed then.
-        return false;
+    if (status.permissionWarning !== null) {
+        return `error: ${status.permissionWarning}`;
     }
-    await store.markHostnameSeeded(hostname);
-    const newConfig = {
-        ...config,
-        sans: { ...config.sans, dnsNames: [hostname] }
-    };
-    log(`${PLUGIN_ID} seeding empty SANs with discovered hostname ${hostname}`);
-    restart(newConfig);
-    return true;
+    if (!status.hasCa) {
+        return 'no CA yet — enable and save config';
+    }
+    if (!status.hasLeaf) {
+        return 'CA ready, no certificate issued yet';
+    }
+    const name = status.leafSansDns[0] ?? status.leafSansIp[0] ?? 'certificate';
+    const days = status.leafDaysRemaining;
+    const expiry = days === null ? '' : ` · ${days.toString()}d left`;
+    const restart = status.restartRequired ? ' · restart to apply' : '';
+    return `${name}${expiry}${restart}`;
 };
 const pluginConstructor = (app) => {
     const extended = app;
+    // The raw hostname signalk-server uses for mDNS (EXTERNALHOST → proxy_host →
+    // settings.hostname → os.hostname()), '' when unavailable.
+    const rawHostname = () => extended.config?.getExternalHostname?.() ?? '';
     let scheduler = null;
     let service = null;
     let store = null;
     let passphrase = null;
     let config = DEFAULT_CONFIG;
+    // Cached snapshot for the synchronous statusMessage(); refreshed after each
+    // issue attempt. Approximate between refreshes (the webapp /status is live).
+    let lastStatus = null;
+    const refreshStatus = async (svc) => {
+        try {
+            lastStatus = await svc.status();
+        }
+        catch (e) {
+            app.error(`${PLUGIN_ID} status refresh failed: ${String(e)}`);
+        }
+    };
     const plugin = {
         id: PLUGIN_ID,
         name: PLUGIN_NAME,
         description: PLUGIN_DESCRIPTION,
-        schema: () => ConfigSchema,
-        start(rawConfig, restart) {
+        // Re-evaluated by signalk-server on every config-screen load, so the
+        // discovered hostname and private-LAN IPs are injected as SAN defaults and
+        // show up pre-filled in the form *before* the plugin is enabled.
+        schema: () => buildConfigSchema({
+            dnsName: discoverAdvertisedHostname(rawHostname()),
+            ipAddresses: discoverPrivateLanIps()
+        }),
+        start(rawConfig, _restart) {
             config = resolveConfig(rawConfig);
             const dataDir = app.getDataDirPath();
             const configPath = resolveConfigPath(extended, dataDir);
             store = new CertStore(dataDir);
             passphrase = new PassphraseSource(config.passphraseMode, store);
             service = new SslService({ store, passphrase, config, configPath });
+            // Mount the public CA download on the raw Express app (outside the
+            // auth-guarded /signalk/v1/api/*), so a phone scanning the QR can fetch
+            // the CA without a SignalK login even when allow_readonly is off. Once per
+            // process — Express keeps handlers across plugin restarts. The handlers
+            // read deps via an accessor so they pick up the current config/store after
+            // a restart instead of capturing the first start's objects.
+            if (!publicCaMounted && typeof extended.get === 'function') {
+                registerPublicCaRoutes({ get: extended.get.bind(extended) }, () => {
+                    // start() always sets these before the routes can be hit; the closure
+                    // reads them live so a restart's fresh objects are picked up.
+                    if (service === null || store === null || passphrase === null) {
+                        throw new Error(`${PLUGIN_ID} public CA route hit before start completed`);
+                    }
+                    return { service, store, passphrase, config };
+                });
+                publicCaMounted = true;
+            }
             const svcLocal = service;
             const storeLocal = store;
-            const cfgLocal = config;
             const logSchedulerError = (err) => {
                 app.error(`${PLUGIN_ID} scheduled renewal failed: ${String(err)}`);
             };
             void storeLocal
                 .init()
                 .then(async () => {
-                // First-run SAN seed must run before the issue flow: if it triggers a
-                // restart, start() runs again with the seeded config and the issue
-                // happens then. Bail out here so we don't issue against empty SANs and
-                // immediately get restarted out from under it.
-                try {
-                    const rawHostname = extended.config?.getExternalHostname?.() ?? '';
-                    const restarted = await maybeSeedHostname(storeLocal, cfgLocal, rawHostname, restart, (msg) => {
-                        app.debug(msg);
-                    });
-                    if (restarted) {
-                        return;
-                    }
-                }
-                catch (e) {
-                    // A seed failure must never block cert issuance — log and continue.
-                    app.error(`${PLUGIN_ID} hostname seed failed: ${String(e)}`);
-                }
                 try {
                     const warning = await svcLocal.checkWritePermissions();
                     if (warning !== null) {
@@ -110,6 +127,7 @@ const pluginConstructor = (app) => {
                 catch (e) {
                     app.error(`${PLUGIN_ID} initial issue failed: ${String(e)}`);
                 }
+                await refreshStatus(svcLocal);
                 // Start the scheduler only after init + initial issue have completed,
                 // so a short test interval can't race against an uninitialised store.
                 scheduler = startRenewalScheduler(svcLocal, logSchedulerError);
@@ -139,7 +157,10 @@ const pluginConstructor = (app) => {
                 store,
                 passphrase,
                 config,
-                getRawHostname: () => extended.config?.getExternalHostname?.() ?? ''
+                getRawHostname: rawHostname,
+                onStatus: (s) => {
+                    lastStatus = s;
+                }
             });
         },
         signalKApiRoutes(router) {
@@ -149,11 +170,7 @@ const pluginConstructor = (app) => {
             return buildPublicRoutes(router, { service, store, passphrase, config });
         },
         statusMessage() {
-            if (service === null) {
-                return 'starting';
-            }
-            // statusMessage must be synchronous; just describe the cached config.
-            return `mode=${config.mode}, sans=${(config.sans.dnsNames.length + config.sans.ipAddresses.length).toString()}`;
+            return formatStatusMessage(lastStatus);
         }
     };
     return plugin;

package/dist/plugin/schema.d.ts

@@ -1,4 +1,4 @@
-import { type Static } from '@sinclair/typebox';
+import { type Static, type TSchema } from '@sinclair/typebox';
 export declare const SansSchema: import("@sinclair/typebox").TObject<{
     dnsNames: import("@sinclair/typebox").TArray<import("@sinclair/typebox").TString>;
     ipAddresses: import("@sinclair/typebox").TArray<import("@sinclair/typebox").TString>;
@@ -25,5 +25,23 @@ export declare const ConfigSchema: import("@sinclair/typebox").TObject<{
     renewalThresholdDays: import("@sinclair/typebox").TInteger;
     clockSkewHours: import("@sinclair/typebox").TInteger;
 }>;
+export interface SchemaDefaults {
+    /** Discovered mDNS hostname (e.g. `pi5radar.local`), or null if none. */
+    readonly dnsName: string | null;
+    /** Discovered private-LAN IPv4 addresses to suggest as IP SANs. */
+    readonly ipAddresses: readonly string[];
+}
+/**
+ * Return the config schema with the SAN fields pre-filled with the discovered
+ * mDNS hostname and private-LAN IPs, so the server-rendered config form shows
+ * them as suggested defaults before the plugin is enabled. Falls back to the
+ * static {@link ConfigSchema} when nothing useful was discovered.
+ *
+ * `schema()` is re-invoked by signalk-server on every config-screen load, so
+ * this is evaluated fresh each time — no caching, picks up hostname/IP changes.
+ * A default is a non-forcing suggestion: a user who clears a field gets an empty
+ * list, so no provenance tracking is needed.
+ */
+export declare const buildConfigSchema: (defaults: SchemaDefaults) => TSchema;
 export type SignalkSslConfig = Static<typeof ConfigSchema>;
 export declare const DEFAULT_CONFIG: SignalkSslConfig;

package/dist/plugin/schema.js

@@ -71,6 +71,29 @@ export const ConfigSchema = Type.Object({
     title: 'SignalK SSL',
     description: 'Manage a local Certificate Authority and HTTPS leaf certificates for this server.'
 });
+/**
+ * Return the config schema with the SAN fields pre-filled with the discovered
+ * mDNS hostname and private-LAN IPs, so the server-rendered config form shows
+ * them as suggested defaults before the plugin is enabled. Falls back to the
+ * static {@link ConfigSchema} when nothing useful was discovered.
+ *
+ * `schema()` is re-invoked by signalk-server on every config-screen load, so
+ * this is evaluated fresh each time — no caching, picks up hostname/IP changes.
+ * A default is a non-forcing suggestion: a user who clears a field gets an empty
+ * list, so no provenance tracking is needed.
+ */
+export const buildConfigSchema = (defaults) => {
+    if (defaults.dnsName === null && defaults.ipAddresses.length === 0) {
+        return ConfigSchema;
+    }
+    // ConfigSchema is a plain JSON object at runtime; clone so we never mutate the
+    // shared static schema, then swap in the discovered SAN defaults.
+    const clone = structuredClone(ConfigSchema);
+    clone.properties.sans.properties.dnsNames.default =
+        defaults.dnsName === null ? [] : [defaults.dnsName];
+    clone.properties.sans.properties.ipAddresses.default = [...defaults.ipAddresses];
+    return clone;
+};
 export const DEFAULT_CONFIG = {
     mode: 'generate',
     commonName: 'SignalK Local CA',

package/dist/plugin/service.d.ts

@@ -82,6 +82,14 @@ export declare class SslService {
     acknowledgeRestart(): void;
 }
 export declare const discoverLocalIps: () => string[];
+/**
+ * Discovered LAN IPv4 addresses suitable for seeding into the cert's
+ * `ipAddresses` SAN default — same source as {@link discoverLocalIps} but
+ * filtered to RFC-1918 private ranges. Returned as a non-forcing suggestion;
+ * the user can trim any (e.g. a VPN-overlay address) in the config form before
+ * saving.
+ */
+export declare const discoverPrivateLanIps: () => string[];
 /**
  * Derive a DNS-name suggestion to add as a SAN, given the raw hostname
  * signalk-server uses for its mDNS advertisement

package/dist/plugin/service.js

@@ -234,6 +234,36 @@ export const discoverLocalIps = () => {
     }
     return [...out];
 };
+/**
+ * True for RFC-1918 private IPv4 ranges (10/8, 172.16/12, 192.168/16) — the
+ * address space a boat LAN actually uses. Public IPs are excluded so we never
+ * bake a routable address into a long-lived cert.
+ */
+const isPrivateIpv4 = (ip) => {
+    const octets = ip.split('.').map(Number);
+    if (octets.length !== 4 || octets.some((o) => Number.isNaN(o) || o < 0 || o > 255)) {
+        return false;
+    }
+    const [a, b] = octets;
+    if (a === 10) {
+        return true;
+    }
+    if (a === 172 && b >= 16 && b <= 31) {
+        return true;
+    }
+    if (a === 192 && b === 168) {
+        return true;
+    }
+    return false;
+};
+/**
+ * Discovered LAN IPv4 addresses suitable for seeding into the cert's
+ * `ipAddresses` SAN default — same source as {@link discoverLocalIps} but
+ * filtered to RFC-1918 private ranges. Returned as a non-forcing suggestion;
+ * the user can trim any (e.g. a VPN-overlay address) in the config form before
+ * saving.
+ */
+export const discoverPrivateLanIps = () => discoverLocalIps().filter(isPrivateIpv4);
 /**
  * Derive a DNS-name suggestion to add as a SAN, given the raw hostname
  * signalk-server uses for its mDNS advertisement

package/dist/plugin/storage.d.ts

@@ -34,13 +34,4 @@ export declare class CertStore {
     writeSettings(settings: SettingsOnDisk): Promise<void>;
     readConvenienceEnvelope(): Promise<ConveniencePassphraseEnvelope | null>;
     writeConvenienceEnvelope(env: ConveniencePassphraseEnvelope): Promise<void>;
-    /**
-     * Whether the plugin has already attempted its one-shot SAN seed (auto-adding
-     * the discovered mDNS hostname to an empty dnsNames list on first run). The
-     * marker makes the seed a one-time action: once it exists, a user who deletes
-     * the seeded name will not see it re-added on the next restart. Presence is
-     * the whole signal; the stored body is informational only.
-     */
-    hasSeededHostname(): Promise<boolean>;
-    markHostnameSeeded(hostname: string): Promise<void>;
 }

package/dist/plugin/storage.js

@@ -9,8 +9,7 @@ const FILES = {
     state: 'state.json',
     leafState: 'leaf-state.json',
     settings: 'settings.json',
-    convenience: 'passphrase.kdf.json',
-    hostnameSeeded: 'hostname-seeded.json'
+    convenience: 'passphrase.kdf.json'
 };
 const PEM_KEY_MODE = 0o600;
 const PEM_CERT_MODE = 0o644;
@@ -131,19 +130,4 @@ export class CertStore {
         await this.init();
         await atomicWrite(this.path('convenience'), JSON.stringify(env, null, 2), JSON_MODE);
     }
-    /**
-     * Whether the plugin has already attempted its one-shot SAN seed (auto-adding
-     * the discovered mDNS hostname to an empty dnsNames list on first run). The
-     * marker makes the seed a one-time action: once it exists, a user who deletes
-     * the seeded name will not see it re-added on the next restart. Presence is
-     * the whole signal; the stored body is informational only.
-     */
-    async hasSeededHostname() {
-        return (await readIfExists(this.path('hostnameSeeded'))) !== null;
-    }
-    async markHostnameSeeded(hostname) {
-        await this.init();
-        const body = JSON.stringify({ hostname, seededAt: new Date().toISOString() }, null, 2);
-        await atomicWrite(this.path('hostnameSeeded'), body, JSON_MODE);
-    }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "signalk-ssl",
-  "version": "0.5.0",
+  "version": "0.7.0",
   "description": "SSL/TLS certificate management plugin for SignalK Node Server — generate a local CA, issue server certs, distribute the root via QR to phones/tablets",
   "type": "module",
   "main": "dist/plugin/index.js",
@@ -58,7 +58,7 @@
     "webapp": {
       "name": "SignalK SSL",
       "description": "SSL/TLS certificate management for SignalK",
-      "location": "/plugins/signalk-ssl/"
+      "location": "/signalk-ssl/"
     }
   },
   "peerDependencies": {

package/public/assets/index-CJ5rxBca.css

@@ -0,0 +1,2 @@
+/*! tailwindcss v4.3.0 | MIT License | https://tailwindcss.com */
+@layer properties{@supports (((-webkit-hyphens:none)) and (not (margin-trim:inline))) or ((-moz-orient:inline) and (not (color:rgb(from red r g b)))){*,:before,:after,::backdrop{--tw-space-y-reverse:0;--tw-border-style:solid;--tw-font-weight:initial;--tw-tracking:initial;--tw-shadow:0 0 #0000;--tw-shadow-color:initial;--tw-shadow-alpha:100%;--tw-inset-shadow:0 0 #0000;--tw-inset-shadow-color:initial;--tw-inset-shadow-alpha:100%;--tw-ring-color:initial;--tw-ring-shadow:0 0 #0000;--tw-inset-ring-color:initial;--tw-inset-ring-shadow:0 0 #0000;--tw-ring-inset:initial;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-offset-shadow:0 0 #0000}}}@layer theme{:root,:host{--font-sans:ui-sans-serif, system-ui, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";--font-mono:ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;--color-red-50:oklch(97.1% .013 17.38);--color-red-300:oklch(80.8% .114 19.571);--color-red-500:oklch(63.7% .237 25.331);--color-red-800:oklch(44.4% .177 26.899);--color-red-900:oklch(39.6% .141 25.723);--color-amber-50:oklch(98.7% .022 95.277);--color-amber-300:oklch(87.9% .169 91.605);--color-amber-500:oklch(76.9% .188 70.08);--color-amber-700:oklch(55.5% .163 48.998);--color-amber-800:oklch(47.3% .137 46.201);--color-amber-900:oklch(41.4% .112 45.904);--color-green-50:oklch(98.2% .018 155.826);--color-green-800:oklch(44.8% .119 151.328);--color-emerald-500:oklch(69.6% .17 162.48);--color-sky-50:oklch(97.7% .013 236.62);--color-sky-500:oklch(68.5% .169 237.323);--color-sky-600:oklch(58.8% .158 241.966);--color-sky-700:oklch(50% .134 242.749);--color-slate-50:oklch(98.4% .003 247.858);--color-slate-200:oklch(92.9% .013 255.508);--color-slate-300:oklch(86.9% .022 252.894);--color-slate-400:oklch(70.4% .04 256.788);--color-slate-500:oklch(55.4% .046 257.417);--color-slate-600:oklch(44.6% .043 257.281);--color-slate-700:oklch(37.2% .044 257.287);--color-slate-900:oklch(20.8% .042 265.755);--color-white:#fff;--spacing:.25rem;--container-3xl:48rem;--text-xs:.75rem;--text-xs--line-height:calc(1 / .75);--text-sm:.875rem;--text-sm--line-height:calc(1.25 / .875);--text-base:1rem;--text-base--line-height:calc(1.5 / 1);--text-lg:1.125rem;--text-lg--line-height:calc(1.75 / 1.125);--text-2xl:1.5rem;--text-2xl--line-height:calc(2 / 1.5);--font-weight-medium:500;--font-weight-semibold:600;--tracking-tight:-.025em;--radius-md:.375rem;--radius-lg:.5rem;--radius-xl:.75rem;--default-font-family:var(--font-sans);--default-mono-font-family:var(--font-mono)}}@layer base{*,:after,:before,::backdrop{box-sizing:border-box;border:0 solid;margin:0;padding:0}::file-selector-button{box-sizing:border-box;border:0 solid;margin:0;padding:0}html,:host{-webkit-text-size-adjust:100%;tab-size:4;line-height:1.5;font-family:var(--default-font-family,ui-sans-serif, system-ui, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji");font-feature-settings:var(--default-font-feature-settings,normal);font-variation-settings:var(--default-font-variation-settings,normal);-webkit-tap-highlight-color:transparent}hr{height:0;color:inherit;border-top-width:1px}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;-webkit-text-decoration:inherit;-webkit-text-decoration:inherit;-webkit-text-decoration:inherit;-webkit-text-decoration:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,samp,pre{font-family:var(--default-mono-font-family,ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace);font-feature-settings:var(--default-mono-font-feature-settings,normal);font-variation-settings:var(--default-mono-font-variation-settings,normal);font-size:1em}small{font-size:80%}sub,sup{vertical-align:baseline;font-size:75%;line-height:0;position:relative}sub{bottom:-.25em}sup{top:-.5em}table{text-indent:0;border-color:inherit;border-collapse:collapse}:-moz-focusring{outline:auto}progress{vertical-align:baseline}summary{display:list-item}ol,ul,menu{list-style:none}img,svg,video,canvas,audio,iframe,embed,object{vertical-align:middle;display:block}img,video{max-width:100%;height:auto}button,input,select,optgroup,textarea{font:inherit;font-feature-settings:inherit;font-variation-settings:inherit;letter-spacing:inherit;color:inherit;opacity:1;background-color:#0000;border-radius:0}::file-selector-button{font:inherit;font-feature-settings:inherit;font-variation-settings:inherit;letter-spacing:inherit;color:inherit;opacity:1;background-color:#0000;border-radius:0}:where(select:is([multiple],[size])) optgroup{font-weight:bolder}:where(select:is([multiple],[size])) optgroup option{padding-inline-start:20px}::file-selector-button{margin-inline-end:4px}::placeholder{opacity:1}@supports (not ((-webkit-appearance:-apple-pay-button))) or (contain-intrinsic-size:1px){::placeholder{color:currentColor}@supports (color:color-mix(in lab, red, red)){::placeholder{color:color-mix(in oklab, currentcolor 50%, transparent)}}}textarea{resize:vertical}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-date-and-time-value{min-height:1lh;text-align:inherit}::-webkit-datetime-edit{display:inline-flex}::-webkit-datetime-edit-fields-wrapper{padding:0}::-webkit-datetime-edit{padding-block:0}::-webkit-datetime-edit-year-field{padding-block:0}::-webkit-datetime-edit-month-field{padding-block:0}::-webkit-datetime-edit-day-field{padding-block:0}::-webkit-datetime-edit-hour-field{padding-block:0}::-webkit-datetime-edit-minute-field{padding-block:0}::-webkit-datetime-edit-second-field{padding-block:0}::-webkit-datetime-edit-millisecond-field{padding-block:0}::-webkit-datetime-edit-meridiem-field{padding-block:0}::-webkit-calendar-picker-indicator{line-height:1}:-moz-ui-invalid{box-shadow:none}button,input:where([type=button],[type=reset],[type=submit]){appearance:button}::file-selector-button{appearance:button}::-webkit-inner-spin-button{height:auto}::-webkit-outer-spin-button{height:auto}[hidden]:where(:not([hidden=until-found])){display:none!important}}@layer components;@layer utilities{.sr-only{clip-path:inset(50%);white-space:nowrap;border-width:0;width:1px;height:1px;margin:-1px;padding:0;position:absolute;overflow:hidden}.absolute{position:absolute}.static{position:static}.mx-auto{margin-inline:auto}.mt-1{margin-top:calc(var(--spacing) * 1)}.mt-2{margin-top:calc(var(--spacing) * 2)}.mt-3{margin-top:calc(var(--spacing) * 3)}.mt-4{margin-top:calc(var(--spacing) * 4)}.mt-6{margin-top:calc(var(--spacing) * 6)}.mb-6{margin-bottom:calc(var(--spacing) * 6)}.block{display:block}.flex{display:flex}.grid{display:grid}.inline-flex{display:inline-flex}.h-2{height:calc(var(--spacing) * 2)}.h-8{height:calc(var(--spacing) * 8)}.w-2{width:calc(var(--spacing) * 2)}.w-8{width:calc(var(--spacing) * 8)}.w-full{width:100%}.max-w-3xl{max-width:var(--container-3xl)}.cursor-pointer{cursor:pointer}.list-inside{list-style-position:inside}.list-decimal{list-style-type:decimal}.list-disc{list-style-type:disc}.grid-cols-1{grid-template-columns:repeat(1,minmax(0,1fr))}.flex-col{flex-direction:column}.items-center{align-items:center}.justify-between{justify-content:space-between}.justify-center{justify-content:center}.gap-2{gap:calc(var(--spacing) * 2)}.gap-3{gap:calc(var(--spacing) * 3)}:where(.space-y-1>:not(:last-child)){--tw-space-y-reverse:0;margin-block-start:calc(calc(var(--spacing) * 1) * var(--tw-space-y-reverse));margin-block-end:calc(calc(var(--spacing) * 1) * calc(1 - var(--tw-space-y-reverse)))}:where(.space-y-3>:not(:last-child)){--tw-space-y-reverse:0;margin-block-start:calc(calc(var(--spacing) * 3) * var(--tw-space-y-reverse));margin-block-end:calc(calc(var(--spacing) * 3) * calc(1 - var(--tw-space-y-reverse)))}:where(.space-y-4>:not(:last-child)){--tw-space-y-reverse:0;margin-block-start:calc(calc(var(--spacing) * 4) * var(--tw-space-y-reverse));margin-block-end:calc(calc(var(--spacing) * 4) * calc(1 - var(--tw-space-y-reverse)))}:where(.space-y-6>:not(:last-child)){--tw-space-y-reverse:0;margin-block-start:calc(calc(var(--spacing) * 6) * var(--tw-space-y-reverse));margin-block-end:calc(calc(var(--spacing) * 6) * calc(1 - var(--tw-space-y-reverse)))}.rounded{border-radius:.25rem}.rounded-full{border-radius:3.40282e38px}.rounded-lg{border-radius:var(--radius-lg)}.rounded-md{border-radius:var(--radius-md)}.rounded-xl{border-radius:var(--radius-xl)}.border{border-style:var(--tw-border-style);border-width:1px}.border-amber-300{border-color:var(--color-amber-300)}.border-red-300{border-color:var(--color-red-300)}.border-sky-600{border-color:var(--color-sky-600)}.border-slate-200{border-color:var(--color-slate-200)}.border-slate-300{border-color:var(--color-slate-300)}.bg-amber-50{background-color:var(--color-amber-50)}.bg-amber-500{background-color:var(--color-amber-500)}.bg-emerald-500{background-color:var(--color-emerald-500)}.bg-green-50{background-color:var(--color-green-50)}.bg-red-50{background-color:var(--color-red-50)}.bg-red-500{background-color:var(--color-red-500)}.bg-sky-600{background-color:var(--color-sky-600)}.bg-slate-50{background-color:var(--color-slate-50)}.bg-slate-300{background-color:var(--color-slate-300)}.bg-white{background-color:var(--color-white)}.bg-white\/80{background-color:#fffc}@supports (color:color-mix(in lab, red, red)){.bg-white\/80{background-color:color-mix(in oklab, var(--color-white) 80%, transparent)}}.p-2{padding:calc(var(--spacing) * 2)}.p-3{padding:calc(var(--spacing) * 3)}.p-4{padding:calc(var(--spacing) * 4)}.p-5{padding:calc(var(--spacing) * 5)}.px-3{padding-inline:calc(var(--spacing) * 3)}.px-4{padding-inline:calc(var(--spacing) * 4)}.px-5{padding-inline:calc(var(--spacing) * 5)}.py-1{padding-block:calc(var(--spacing) * 1)}.py-2{padding-block:calc(var(--spacing) * 2)}.py-3{padding-block:calc(var(--spacing) * 3)}.py-6{padding-block:calc(var(--spacing) * 6)}.text-center{text-align:center}.text-left{text-align:left}.font-mono{font-family:var(--font-mono)}.font-sans{font-family:var(--font-sans)}.text-2xl{font-size:var(--text-2xl);line-height:var(--tw-leading,var(--text-2xl--line-height))}.text-base{font-size:var(--text-base);line-height:var(--tw-leading,var(--text-base--line-height))}.text-lg{font-size:var(--text-lg);line-height:var(--tw-leading,var(--text-lg--line-height))}.text-sm{font-size:var(--text-sm);line-height:var(--tw-leading,var(--text-sm--line-height))}.text-xs{font-size:var(--text-xs);line-height:var(--tw-leading,var(--text-xs--line-height))}.font-medium{--tw-font-weight:var(--font-weight-medium);font-weight:var(--font-weight-medium)}.font-semibold{--tw-font-weight:var(--font-weight-semibold);font-weight:var(--font-weight-semibold)}.tracking-tight{--tw-tracking:var(--tracking-tight);letter-spacing:var(--tracking-tight)}.break-all{word-break:break-all}.text-amber-700{color:var(--color-amber-700)}.text-amber-800{color:var(--color-amber-800)}.text-amber-900{color:var(--color-amber-900)}.text-green-800{color:var(--color-green-800)}.text-red-800{color:var(--color-red-800)}.text-red-900{color:var(--color-red-900)}.text-sky-600{color:var(--color-sky-600)}.text-sky-700{color:var(--color-sky-700)}.text-slate-400{color:var(--color-slate-400)}.text-slate-500{color:var(--color-slate-500)}.text-slate-600{color:var(--color-slate-600)}.text-slate-700{color:var(--color-slate-700)}.text-slate-900{color:var(--color-slate-900)}.text-white{color:var(--color-white)}.italic{font-style:italic}.underline{text-decoration-line:underline}.shadow-sm{--tw-shadow:0 1px 3px 0 var(--tw-shadow-color,#0000001a), 0 1px 2px -1px var(--tw-shadow-color,#0000001a);box-shadow:var(--tw-inset-shadow), var(--tw-inset-ring-shadow), var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow)}@media (hover:hover){.hover\:bg-sky-50:hover{background-color:var(--color-sky-50)}.hover\:bg-sky-700:hover{background-color:var(--color-sky-700)}.hover\:bg-slate-50:hover{background-color:var(--color-slate-50)}}.focus\:border-sky-500:focus{border-color:var(--color-sky-500)}.focus\:ring-2:focus{--tw-ring-shadow:var(--tw-ring-inset,) 0 0 0 calc(2px + var(--tw-ring-offset-width)) var(--tw-ring-color,currentcolor);box-shadow:var(--tw-inset-shadow), var(--tw-inset-ring-shadow), var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow)}.focus\:ring-sky-500:focus{--tw-ring-color:var(--color-sky-500)}.focus\:ring-offset-2:focus{--tw-ring-offset-width:2px;--tw-ring-offset-shadow:var(--tw-ring-inset,) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color)}.focus\:outline-none:focus{--tw-outline-style:none;outline-style:none}.disabled\:cursor-not-allowed:disabled{cursor:not-allowed}.disabled\:bg-slate-300:disabled{background-color:var(--color-slate-300)}.disabled\:opacity-50:disabled{opacity:.5}@media (width>=40rem){.sm\:grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}.sm\:grid-cols-\[10rem_1fr\]{grid-template-columns:10rem 1fr}.sm\:py-10{padding-block:calc(var(--spacing) * 10)}}}@property --tw-space-y-reverse{syntax:"*";inherits:false;initial-value:0}@property --tw-border-style{syntax:"*";inherits:false;initial-value:solid}@property --tw-font-weight{syntax:"*";inherits:false}@property --tw-tracking{syntax:"*";inherits:false}@property --tw-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-shadow-color{syntax:"*";inherits:false}@property --tw-shadow-alpha{syntax:"<percentage>";inherits:false;initial-value:100%}@property --tw-inset-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-inset-shadow-color{syntax:"*";inherits:false}@property --tw-inset-shadow-alpha{syntax:"<percentage>";inherits:false;initial-value:100%}@property --tw-ring-color{syntax:"*";inherits:false}@property --tw-ring-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-inset-ring-color{syntax:"*";inherits:false}@property --tw-inset-ring-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-ring-inset{syntax:"*";inherits:false}@property --tw-ring-offset-width{syntax:"<length>";inherits:false;initial-value:0}@property --tw-ring-offset-color{syntax:"*";inherits:false;initial-value:#fff}@property --tw-ring-offset-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}