signalk-ssl 0.6.0 → 0.8.0

package/README.md

@@ -2,7 +2,16 @@
 
 SSL/TLS certificate management for [SignalK Node Server](https://signalk.org/).
 
-Generates a local Certificate Authority, signs server certificates for your boat's hostnames and IP addresses, and provides a QR code so phones and tablets can install the CA root without SSH.
+`signalk-ssl` turns HTTPS on your SignalK server from an SSH-and-`openssl` chore into a two-minute, point-and-click task — it runs a local Certificate Authority, issues and auto-renews trusted server certificates, and hands you a QR code to install the CA root on every phone and tablet aboard. Built to slot seamlessly into the [SignalK Universal Installer](https://github.com/dirkwa/signalk-universal-installer) stack, it also runs perfectly standalone on any vanilla SignalK Node Server.
+
+## Features
+
+- **Local CA + trusted certs, zero terminal** — generates an EC Certificate Authority and signs HTTPS certificates for your boat's hostname and IPs, so browsers show a green padlock instead of a scary warning.
+- **One-scan device trust** — a built-in QR code installs the CA root on iOS (`.mobileconfig`) and Android / desktop (`.crt`); no SSH, no file copying, no per-device fiddling.
+- **Set-and-forget renewal** — certificates auto-renew before expiry and re-issue automatically when your SANs change, with a 24-hour clock-skew backdate so an offline boat's lagging phone clock never breaks trust.
+- **Smart, server-aware defaults** — pre-fills the SAN fields with the exact `.local` hostname your server broadcasts on mDNS plus its private-LAN IPs, so the cert covers both name and IP out of the box, and shows live certificate health (name + days remaining) right in the admin status line.
+- **Encrypted at rest, your choice of key** — the CA private key is always stored as encrypted PKCS#8, with `convenience` (no typing), `env` (environment variable), or `webapp` (prompt-based) passphrase modes.
+- **Runs anywhere SignalK runs** — pure-JS, no native modules; works identically on bare-metal, systemd, and Docker / Podman installs, and is tuned for drop-in use with the SignalK Universal Installer.
 
 ## Why
 
@@ -10,7 +19,7 @@ Generates a local Certificate Authority, signs server certificates for your boat
 - Self-signed certs without a CA make every browser scream.
 - Doing it by hand means SSH, `openssl`, and `update-ca-certificates` per device — for non-technical boaters that's not happening.
 
-`signalk-ssl` collapses the whole flow into "open plugin → configure SANs → scan QR on each phone".
+`signalk-ssl` collapses the whole flow into "open plugin → save the pre-filled SANs → scan QR on each phone".
 
 ## Prerequisites
 
@@ -25,13 +34,12 @@ The Appstore installs plugins with `npm install --ignore-scripts`, so this packa
 
 ## Configure
 
-1. Enable the plugin in the SignalK admin UI.
-2. Open the plugin configuration screen and fill in:
-   - **SANs** — at least one DNS name (e.g. `signalk.local`, `boat.local`) and/or the boat's LAN IP. The webapp shows the discovered IPv4 addresses.
+1. Open the plugin configuration screen. The **SANs** fields come **pre-filled**: the `.local` hostname your server broadcasts on mDNS and the host's private-LAN IPv4 addresses are suggested as defaults, so most boats can leave them as-is. (They're suggestions — clear any you don't want, e.g. a VPN-overlay IP, before saving.)
+2. Review the rest:
    - **Passphrase mode** — `convenience` is the default and just works.
-   - Defaults for CA validity (10 years), leaf validity (397 days), renewal threshold (30 days), clock-skew backdate (24 hours) are fine for most boats.
-3. Save the config. The plugin generates the CA, signs a leaf certificate, and writes both to SignalK's TLS path (`ssl-cert.pem`, `ssl-key.pem`, `ssl-chain.pem` in the configured config directory).
-4. Open the plugin webapp at `/signalk-ssl/`.
+   - Defaults for CA validity (3650 days ≈ 10 years), leaf validity (397 days), renewal threshold (30 days), clock-skew backdate (24 hours) are fine for most boats.
+3. Save the config to enable the plugin. It generates the CA, signs a leaf certificate covering your SANs, and writes the cert to SignalK's TLS path (`ssl-cert.pem`, `ssl-key.pem`, `ssl-chain.pem` in the configured config directory). The admin status line then shows the cert name and days remaining.
+4. Open the plugin webapp from the admin **Webapps** tile (or at `/signalk-ssl/`).
 5. Restart SignalK so the new certificate is picked up by the HTTPS listener. (The webapp shows a banner reminding you.)
 
 ## Distribute the CA to phones
@@ -82,16 +90,16 @@ or `webapp` mode first.
 - `POST /plugins/signalk-ssl/unlock` — supply passphrase (webapp mode, admin auth required)
 - `POST /plugins/signalk-ssl/lock` — drop in-memory passphrase
 - `POST /plugins/signalk-ssl/rotate` — re-encrypt the CA key under a new passphrase (admin auth required)
-- `GET /signalk/v1/api/ssl/ca.crt` — **public** download of CA cert (PEM)
-- `GET /signalk/v1/api/ssl/ca.mobileconfig` — **public** download of Apple profile
+- `GET /signalk-ssl/ca.crt` — **public** download of CA cert (PEM)
+- `GET /signalk-ssl/ca.mobileconfig` — **public** download of Apple profile
 
-The two `/ssl/` paths are intentionally unauthenticated so phones without SignalK accounts can fetch the CA via the QR-coded URL. (`PUT`/`POST` on `/signalk/v1/api/*` is auto-protected by the server, so we can't accidentally expose a destructive endpoint here.)
+The two `ca.*` downloads are intentionally unauthenticated so phones without SignalK accounts can fetch the CA via the QR-coded URL. They are mounted on the raw Express app under the `/signalk-ssl/` prefix (where the webapp static files live), which sits behind only signalk-server's permissive root middleware. This matters: the obvious home for them — `/signalk/v1/api/ssl/*` — is fronted by middleware that returns **401** to any tokenless request when `allow_readonly` is disabled, which would break the QR flow on a hardened server. The `/signalk-ssl/` prefix stays reachable without a login regardless of the security config, and only `GET`s are exposed there.
 
 ## Container (Podman / Docker) notes
 
 - The plugin uses `app.getDataDirPath()`, which means the per-plugin data lives under SignalK's data volume — survives container rebuilds.
 - Certs land at `${app.config.configPath}/ssl-{cert,key,chain}.pem`, again on the data volume.
-- mDNS `.local` resolution does **not** work through Podman's default bridge network. Either run with `--network=host` or use IP-based SANs and DNS on your router. The webapp can show the LAN IP URL as a fallback when it detects this case.
+- mDNS `.local` resolution does **not** work through Podman's default bridge network. Either run with `--network=host` or reach the server by IP — the plugin pre-fills the host's private-LAN IPs as SANs, so the issued cert already covers the IP URL. (On a bridge network the auto-detected hostname may be the random container ID, in which case the hostname suggestion is suppressed and you rely on the IP SANs.)
 - For outbound trust **inside** the container (so the SignalK Node process trusts its own CA when calling itself or another boat service), set `NODE_EXTRA_CA_CERTS=/path/to/ca.crt` in the container env. Node reads this before plugins load, so the plugin can't set it on itself — the value must be in your Quadlet/Compose/run script.
 
 ## Troubleshooting
@@ -100,7 +108,7 @@ The two `/ssl/` paths are intentionally unauthenticated so phones without Signal
 
 Three usual causes:
 
-1. The leaf cert doesn't list the hostname in the SAN. Check the SANs in the plugin config; re-issue if you added one after the fact.
+1. The leaf cert doesn't list the name you browsed to in its SAN — e.g. you opened the server by IP but only the `.local` hostname is in the SANs (or vice versa). The cert must contain whatever you type in the address bar. Add the missing name/IP to the SANs in the plugin config and re-issue (**Renew now**).
 2. The phone's clock is more than 24 hours behind. This plugin backdates `notBefore` by 24h to soften this; if it's still too far off, fix NTP on the boat.
 3. The CA root isn't installed (or full trust isn't enabled in Settings → General → About → Certificate Trust Settings).
 

package/dist/plugin/api.d.ts

@@ -1,4 +1,4 @@
-import type { IRouter } from 'express';
+import type { IRouter, RequestHandler } from 'express';
 import type { SslService, ServiceStatus } from './service.js';
 import type { SignalkSslConfig } from './schema.js';
 import type { PassphraseSource } from './passphrase-source.js';
@@ -22,3 +22,25 @@ export interface AdminApiDeps extends ApiDeps {
 export declare const registerAdminRoutes: (router: IRouter, deps: AdminApiDeps) => void;
 /** Mounted by the server at /signalk/v1/api/* via signalKApiRoutes — read-only public. */
 export declare const buildPublicRoutes: (router: IRouter, deps: ApiDeps) => IRouter;
+/**
+ * Mount the public CA download on the raw Express app at /signalk-ssl/ca.*.
+ *
+ * The /signalk/v1/api/ssl/* surface (buildPublicRoutes) is fronted by
+ * signalk-server's `http_authorize` middleware, which hard-401s any tokenless
+ * request when `allow_readonly` is disabled — so a phone scanning the QR with
+ * no SignalK account gets "Unauthorized". The /signalk-ssl/ prefix (where the
+ * webapp static files live) is only under the permissive root middleware, so it
+ * stays reachable without auth even on hardened servers. We mount the CA files
+ * there so the QR-code flow works regardless of the security config.
+ */
+export interface RawRouteMounter {
+    get: (path: string, handler: RequestHandler) => unknown;
+}
+/**
+ * These routes are mounted once per process on the raw Express app (Express
+ * keeps handlers across plugin restarts). So the handlers must not close over a
+ * captured `deps`: a config save/restart swaps the plugin's config and store for
+ * fresh objects, and a stale closure would keep serving the old CA metadata.
+ * Take a `getDeps` accessor instead and resolve it per request.
+ */
+export declare const registerPublicCaRoutes: (app: RawRouteMounter, getDeps: () => ApiDeps) => void;

package/dist/plugin/api.js

@@ -66,27 +66,41 @@ export const registerAdminRoutes = (router, deps) => {
         sendJson(res, status, out);
     }));
 };
+// Shared handlers for the public CA download, used by both route surfaces below.
+const sendCaCrt = (deps) => asyncRoute(async (_req, res) => {
+    const ca = await deps.store.readCaState();
+    if (ca === null) {
+        sendJson(res, 404, { error: 'no CA configured' });
+        return;
+    }
+    res.type('application/x-x509-ca-cert').send(ca.certificatePem);
+});
+const sendCaMobileconfig = (deps) => asyncRoute(async (_req, res) => {
+    const ca = await deps.store.readCaState();
+    if (ca === null) {
+        sendJson(res, 404, { error: 'no CA configured' });
+        return;
+    }
+    const xml = buildMobileconfig(ca.certificatePem, {
+        caName: deps.config.commonName,
+        organization: deps.config.organization
+    });
+    res.type('application/x-apple-aspen-config').send(xml);
+});
 /** Mounted by the server at /signalk/v1/api/* via signalKApiRoutes — read-only public. */
 export const buildPublicRoutes = (router, deps) => {
-    router.get('/ssl/ca.crt', asyncRoute(async (_req, res) => {
-        const ca = await deps.store.readCaState();
-        if (ca === null) {
-            sendJson(res, 404, { error: 'no CA configured' });
-            return;
-        }
-        res.type('application/x-x509-ca-cert').send(ca.certificatePem);
-    }));
-    router.get('/ssl/ca.mobileconfig', asyncRoute(async (_req, res) => {
-        const ca = await deps.store.readCaState();
-        if (ca === null) {
-            sendJson(res, 404, { error: 'no CA configured' });
-            return;
-        }
-        const xml = buildMobileconfig(ca.certificatePem, {
-            caName: deps.config.commonName,
-            organization: deps.config.organization
-        });
-        res.type('application/x-apple-aspen-config').send(xml);
-    }));
+    router.get('/ssl/ca.crt', sendCaCrt(deps));
+    router.get('/ssl/ca.mobileconfig', sendCaMobileconfig(deps));
     return router;
 };
+/**
+ * These routes are mounted once per process on the raw Express app (Express
+ * keeps handlers across plugin restarts). So the handlers must not close over a
+ * captured `deps`: a config save/restart swaps the plugin's config and store for
+ * fresh objects, and a stale closure would keep serving the old CA metadata.
+ * Take a `getDeps` accessor instead and resolve it per request.
+ */
+export const registerPublicCaRoutes = (app, getDeps) => {
+    app.get('/signalk-ssl/ca.crt', (req, res, next) => sendCaCrt(getDeps())(req, res, next));
+    app.get('/signalk-ssl/ca.mobileconfig', (req, res, next) => sendCaMobileconfig(getDeps())(req, res, next));
+};

package/dist/plugin/index.js

@@ -5,13 +5,16 @@
 import 'reflect-metadata';
 import { CertStore } from './storage.js';
 import { PassphraseSource } from './passphrase-source.js';
-import { SslService, discoverAdvertisedHostname } from './service.js';
+import { SslService, discoverAdvertisedHostname, discoverPrivateLanIps } from './service.js';
 import { startRenewalScheduler } from './scheduler.js';
-import { buildPublicRoutes, registerAdminRoutes } from './api.js';
+import { buildPublicRoutes, registerAdminRoutes, registerPublicCaRoutes } from './api.js';
 import { buildConfigSchema, DEFAULT_CONFIG } from './schema.js';
 const PLUGIN_ID = 'signalk-ssl';
 const PLUGIN_NAME = 'SignalK SSL';
 const PLUGIN_DESCRIPTION = 'Generate a local CA and issue trusted HTTPS certificates for your SignalK server.';
+// Raw Express routes accumulate across plugin restarts; mount the public CA
+// download only once per process.
+let publicCaMounted = false;
 const resolveConfig = (raw) => {
     return { ...DEFAULT_CONFIG, ...raw };
 };
@@ -70,16 +73,53 @@ const pluginConstructor = (app) => {
         name: PLUGIN_NAME,
         description: PLUGIN_DESCRIPTION,
         // Re-evaluated by signalk-server on every config-screen load, so the
-        // discovered hostname is injected as the dnsNames default and shows up
-        // pre-filled in the form *before* the plugin is enabled.
-        schema: () => buildConfigSchema(discoverAdvertisedHostname(rawHostname())),
+        // discovered hostname and private-LAN IPs are injected as SAN defaults and
+        // show up pre-filled in the form *before* the plugin is enabled.
+        schema: () => buildConfigSchema({
+            dnsName: discoverAdvertisedHostname(rawHostname()),
+            ipAddresses: discoverPrivateLanIps()
+        }),
         start(rawConfig, _restart) {
             config = resolveConfig(rawConfig);
             const dataDir = app.getDataDirPath();
             const configPath = resolveConfigPath(extended, dataDir);
             store = new CertStore(dataDir);
             passphrase = new PassphraseSource(config.passphraseMode, store);
-            service = new SslService({ store, passphrase, config, configPath });
+            service = new SslService({
+                store,
+                passphrase,
+                config,
+                configPath,
+                // Evaluated per /status call so an `ssl: true` flip + restart is
+                // reflected immediately (the webapp polls /status). Preserves null when
+                // the server doesn't expose settings.ssl — collapsing that to false
+                // would falsely trigger the enable-HTTPS panel on older servers.
+                getServerNetState: () => {
+                    const settings = extended.config?.settings;
+                    return {
+                        sslEnabled: typeof settings?.ssl === 'boolean' ? settings.ssl : null,
+                        httpPort: typeof settings?.port === 'number' ? settings.port : null,
+                        sslPort: typeof settings?.sslport === 'number' ? settings.sslport : null
+                    };
+                }
+            });
+            // Mount the public CA download on the raw Express app (outside the
+            // auth-guarded /signalk/v1/api/*), so a phone scanning the QR can fetch
+            // the CA without a SignalK login even when allow_readonly is off. Once per
+            // process — Express keeps handlers across plugin restarts. The handlers
+            // read deps via an accessor so they pick up the current config/store after
+            // a restart instead of capturing the first start's objects.
+            if (!publicCaMounted && typeof extended.get === 'function') {
+                registerPublicCaRoutes({ get: extended.get.bind(extended) }, () => {
+                    // start() always sets these before the routes can be hit; the closure
+                    // reads them live so a restart's fresh objects are picked up.
+                    if (service === null || store === null || passphrase === null) {
+                        throw new Error(`${PLUGIN_ID} public CA route hit before start completed`);
+                    }
+                    return { service, store, passphrase, config };
+                });
+                publicCaMounted = true;
+            }
             const svcLocal = service;
             const storeLocal = store;
             const logSchedulerError = (err) => {

package/dist/plugin/schema.d.ts

@@ -25,17 +25,23 @@ export declare const ConfigSchema: import("@sinclair/typebox").TObject<{
     renewalThresholdDays: import("@sinclair/typebox").TInteger;
     clockSkewHours: import("@sinclair/typebox").TInteger;
 }>;
+export interface SchemaDefaults {
+    /** Discovered mDNS hostname (e.g. `pi5radar.local`), or null if none. */
+    readonly dnsName: string | null;
+    /** Discovered private-LAN IPv4 addresses to suggest as IP SANs. */
+    readonly ipAddresses: readonly string[];
+}
 /**
- * Return the config schema with `dnsNames` pre-filled with the discovered mDNS
- * hostname, so the server-rendered config form shows it as a suggested default
- * before the plugin is enabled. Falls back to the static {@link ConfigSchema}
- * (empty default) when no useful hostname is available.
+ * Return the config schema with the SAN fields pre-filled with the discovered
+ * mDNS hostname and private-LAN IPs, so the server-rendered config form shows
+ * them as suggested defaults before the plugin is enabled. Falls back to the
+ * static {@link ConfigSchema} when nothing useful was discovered.
  *
  * `schema()` is re-invoked by signalk-server on every config-screen load, so
- * this is evaluated fresh each time — no caching, picks up hostname changes.
- * A default is a non-forcing suggestion: a user who clears it gets an empty
- * list, no provenance tracking needed.
+ * this is evaluated fresh each time — no caching, picks up hostname/IP changes.
+ * A default is a non-forcing suggestion: a user who clears a field gets an empty
+ * list, so no provenance tracking is needed.
  */
-export declare const buildConfigSchema: (dnsDefault: string | null) => TSchema;
+export declare const buildConfigSchema: (defaults: SchemaDefaults) => TSchema;
 export type SignalkSslConfig = Static<typeof ConfigSchema>;
 export declare const DEFAULT_CONFIG: SignalkSslConfig;

package/dist/plugin/schema.js

@@ -72,24 +72,26 @@ export const ConfigSchema = Type.Object({
     description: 'Manage a local Certificate Authority and HTTPS leaf certificates for this server.'
 });
 /**
- * Return the config schema with `dnsNames` pre-filled with the discovered mDNS
- * hostname, so the server-rendered config form shows it as a suggested default
- * before the plugin is enabled. Falls back to the static {@link ConfigSchema}
- * (empty default) when no useful hostname is available.
+ * Return the config schema with the SAN fields pre-filled with the discovered
+ * mDNS hostname and private-LAN IPs, so the server-rendered config form shows
+ * them as suggested defaults before the plugin is enabled. Falls back to the
+ * static {@link ConfigSchema} when nothing useful was discovered.
  *
  * `schema()` is re-invoked by signalk-server on every config-screen load, so
- * this is evaluated fresh each time — no caching, picks up hostname changes.
- * A default is a non-forcing suggestion: a user who clears it gets an empty
- * list, no provenance tracking needed.
+ * this is evaluated fresh each time — no caching, picks up hostname/IP changes.
+ * A default is a non-forcing suggestion: a user who clears a field gets an empty
+ * list, so no provenance tracking is needed.
  */
-export const buildConfigSchema = (dnsDefault) => {
-    if (dnsDefault === null) {
+export const buildConfigSchema = (defaults) => {
+    if (defaults.dnsName === null && defaults.ipAddresses.length === 0) {
         return ConfigSchema;
     }
     // ConfigSchema is a plain JSON object at runtime; clone so we never mutate the
-    // shared static schema, then swap in the hostname default.
+    // shared static schema, then swap in the discovered SAN defaults.
     const clone = structuredClone(ConfigSchema);
-    clone.properties.sans.properties.dnsNames.default = [dnsDefault];
+    clone.properties.sans.properties.dnsNames.default =
+        defaults.dnsName === null ? [] : [defaults.dnsName];
+    clone.properties.sans.properties.ipAddresses.default = [...defaults.ipAddresses];
     return clone;
 };
 export const DEFAULT_CONFIG = {

package/dist/plugin/service.d.ts

@@ -27,6 +27,17 @@ export type RotateOutcome = {
     readonly kind: 'error';
     readonly message: string;
 };
+/** Runtime snapshot of signalk-server's HTTP/HTTPS binding state. */
+export interface ServerNetState {
+    /** True/false when signalk-server reports settings.ssl, null when it doesn't
+     * (older server, or any case where the runtime can't tell). The webapp only
+     * shows the enable-HTTPS help on an explicit `false`, never on null. */
+    readonly sslEnabled: boolean | null;
+    /** Plain-HTTP port (signalk-server settings.port; default 3000). */
+    readonly httpPort: number | null;
+    /** HTTPS port (signalk-server settings.sslport; default 443). */
+    readonly sslPort: number | null;
+}
 export interface ServiceStatus {
     readonly hasCa: boolean;
     readonly caFingerprint: string | null;
@@ -38,12 +49,23 @@ export interface ServiceStatus {
     readonly leafSansIp: readonly string[];
     readonly restartRequired: boolean;
     readonly permissionWarning: string | null;
+    /** Whether signalk-server is actually serving HTTPS. The plugin can install a
+     * cert and the server still serve plain HTTP if settings.ssl is false — the
+     * webapp surfaces help for that case. Null when the runtime can't tell. */
+    readonly serverSslEnabled: boolean | null;
+    /** Ports the server reports for the help/URL hints. Both null when unknown. */
+    readonly serverHttpPort: number | null;
+    readonly serverSslPort: number | null;
 }
 export interface SslServiceDeps {
     readonly store: CertStore;
     readonly passphrase: PassphraseSource;
     readonly config: SignalkSslConfig;
     readonly configPath: string;
+    /** Snapshot of signalk-server's net state, evaluated at request time so a
+     * settings flip is reflected immediately. Optional — when absent the status
+     * exposes nulls and the webapp suppresses the help. */
+    readonly getServerNetState?: () => ServerNetState;
 }
 export declare class SslService {
     private readonly deps;
@@ -78,10 +100,19 @@ export declare class SslService {
     private importCa;
     private signAndStoreLeaf;
     private ensureFilesOnDisk;
+    private serverState;
     status(): Promise<ServiceStatus>;
     acknowledgeRestart(): void;
 }
 export declare const discoverLocalIps: () => string[];
+/**
+ * Discovered LAN IPv4 addresses suitable for seeding into the cert's
+ * `ipAddresses` SAN default — same source as {@link discoverLocalIps} but
+ * filtered to RFC-1918 private ranges. Returned as a non-forcing suggestion;
+ * the user can trim any (e.g. a VPN-overlay address) in the config form before
+ * saving.
+ */
+export declare const discoverPrivateLanIps: () => string[];
 /**
  * Derive a DNS-name suggestion to add as a SAN, given the raw hostname
  * signalk-server uses for its mDNS advertisement

package/dist/plugin/service.js

@@ -168,9 +168,17 @@ export class SslService {
     async ensureFilesOnDisk(leaf, ca) {
         await installCerts(this.targets(), leaf.certificatePem, leaf.privateKeyPem, ca.certificatePem);
     }
+    serverState() {
+        if (this.deps.getServerNetState === undefined) {
+            return { sslEnabled: null, httpPort: null, sslPort: null };
+        }
+        const s = this.deps.getServerNetState();
+        return { sslEnabled: s.sslEnabled, httpPort: s.httpPort, sslPort: s.sslPort };
+    }
     async status() {
         const caState = await this.deps.store.readCaState();
         const leafState = await this.deps.store.readLeafState();
+        const net = this.serverState();
         if (leafState === null) {
             return {
                 hasCa: caState !== null,
@@ -182,7 +190,10 @@ export class SslService {
                 leafSansDns: [],
                 leafSansIp: [],
                 restartRequired: this.restartRequired,
-                permissionWarning: this.permissionWarning
+                permissionWarning: this.permissionWarning,
+                serverSslEnabled: net.sslEnabled,
+                serverHttpPort: net.httpPort,
+                serverSslPort: net.sslPort
             };
         }
         const decision = needsRenewal(leafState.certificatePem, this.resolveSans(), this.deps.config.renewalThresholdDays);
@@ -196,7 +207,10 @@ export class SslService {
             leafSansDns: this.deps.config.sans.dnsNames.map((d) => sanitizeHostname(d).toLowerCase()),
             leafSansIp: this.deps.config.sans.ipAddresses,
             restartRequired: this.restartRequired,
-            permissionWarning: this.permissionWarning
+            permissionWarning: this.permissionWarning,
+            serverSslEnabled: net.sslEnabled,
+            serverHttpPort: net.httpPort,
+            serverSslPort: net.sslPort
         };
     }
     acknowledgeRestart() {
@@ -234,6 +248,36 @@ export const discoverLocalIps = () => {
     }
     return [...out];
 };
+/**
+ * True for RFC-1918 private IPv4 ranges (10/8, 172.16/12, 192.168/16) — the
+ * address space a boat LAN actually uses. Public IPs are excluded so we never
+ * bake a routable address into a long-lived cert.
+ */
+const isPrivateIpv4 = (ip) => {
+    const octets = ip.split('.').map(Number);
+    if (octets.length !== 4 || octets.some((o) => Number.isNaN(o) || o < 0 || o > 255)) {
+        return false;
+    }
+    const [a, b] = octets;
+    if (a === 10) {
+        return true;
+    }
+    if (a === 172 && b >= 16 && b <= 31) {
+        return true;
+    }
+    if (a === 192 && b === 168) {
+        return true;
+    }
+    return false;
+};
+/**
+ * Discovered LAN IPv4 addresses suitable for seeding into the cert's
+ * `ipAddresses` SAN default — same source as {@link discoverLocalIps} but
+ * filtered to RFC-1918 private ranges. Returned as a non-forcing suggestion;
+ * the user can trim any (e.g. a VPN-overlay address) in the config form before
+ * saving.
+ */
+export const discoverPrivateLanIps = () => discoverLocalIps().filter(isPrivateIpv4);
 /**
  * Derive a DNS-name suggestion to add as a SAN, given the raw hostname
  * signalk-server uses for its mDNS advertisement

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "signalk-ssl",
-  "version": "0.6.0",
+  "version": "0.8.0",
   "description": "SSL/TLS certificate management plugin for SignalK Node Server — generate a local CA, issue server certs, distribute the root via QR to phones/tablets",
   "type": "module",
   "main": "dist/plugin/index.js",

package/public/assets/index-A1lwNlrC.css

@@ -0,0 +1,2 @@
+/*! tailwindcss v4.3.0 | MIT License | https://tailwindcss.com */
+@layer properties{@supports (((-webkit-hyphens:none)) and (not (margin-trim:inline))) or ((-moz-orient:inline) and (not (color:rgb(from red r g b)))){*,:before,:after,::backdrop{--tw-space-y-reverse:0;--tw-border-style:solid;--tw-font-weight:initial;--tw-tracking:initial;--tw-shadow:0 0 #0000;--tw-shadow-color:initial;--tw-shadow-alpha:100%;--tw-inset-shadow:0 0 #0000;--tw-inset-shadow-color:initial;--tw-inset-shadow-alpha:100%;--tw-ring-color:initial;--tw-ring-shadow:0 0 #0000;--tw-inset-ring-color:initial;--tw-inset-ring-shadow:0 0 #0000;--tw-ring-inset:initial;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-offset-shadow:0 0 #0000}}}@layer theme{:root,:host{--font-sans:ui-sans-serif, system-ui, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";--font-mono:ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;--color-red-50:oklch(97.1% .013 17.38);--color-red-300:oklch(80.8% .114 19.571);--color-red-500:oklch(63.7% .237 25.331);--color-red-800:oklch(44.4% .177 26.899);--color-red-900:oklch(39.6% .141 25.723);--color-amber-50:oklch(98.7% .022 95.277);--color-amber-100:oklch(96.2% .059 95.617);--color-amber-300:oklch(87.9% .169 91.605);--color-amber-500:oklch(76.9% .188 70.08);--color-amber-700:oklch(55.5% .163 48.998);--color-amber-800:oklch(47.3% .137 46.201);--color-amber-900:oklch(41.4% .112 45.904);--color-green-50:oklch(98.2% .018 155.826);--color-green-800:oklch(44.8% .119 151.328);--color-emerald-500:oklch(69.6% .17 162.48);--color-sky-50:oklch(97.7% .013 236.62);--color-sky-500:oklch(68.5% .169 237.323);--color-sky-600:oklch(58.8% .158 241.966);--color-sky-700:oklch(50% .134 242.749);--color-slate-50:oklch(98.4% .003 247.858);--color-slate-200:oklch(92.9% .013 255.508);--color-slate-300:oklch(86.9% .022 252.894);--color-slate-400:oklch(70.4% .04 256.788);--color-slate-500:oklch(55.4% .046 257.417);--color-slate-600:oklch(44.6% .043 257.281);--color-slate-700:oklch(37.2% .044 257.287);--color-slate-900:oklch(20.8% .042 265.755);--color-white:#fff;--spacing:.25rem;--container-3xl:48rem;--text-xs:.75rem;--text-xs--line-height:calc(1 / .75);--text-sm:.875rem;--text-sm--line-height:calc(1.25 / .875);--text-base:1rem;--text-base--line-height:calc(1.5 / 1);--text-lg:1.125rem;--text-lg--line-height:calc(1.75 / 1.125);--text-2xl:1.5rem;--text-2xl--line-height:calc(2 / 1.5);--font-weight-medium:500;--font-weight-semibold:600;--tracking-tight:-.025em;--radius-md:.375rem;--radius-lg:.5rem;--radius-xl:.75rem;--default-font-family:var(--font-sans);--default-mono-font-family:var(--font-mono)}}@layer base{*,:after,:before,::backdrop{box-sizing:border-box;border:0 solid;margin:0;padding:0}::file-selector-button{box-sizing:border-box;border:0 solid;margin:0;padding:0}html,:host{-webkit-text-size-adjust:100%;tab-size:4;line-height:1.5;font-family:var(--default-font-family,ui-sans-serif, system-ui, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji");font-feature-settings:var(--default-font-feature-settings,normal);font-variation-settings:var(--default-font-variation-settings,normal);-webkit-tap-highlight-color:transparent}hr{height:0;color:inherit;border-top-width:1px}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;-webkit-text-decoration:inherit;-webkit-text-decoration:inherit;-webkit-text-decoration:inherit;-webkit-text-decoration:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,samp,pre{font-family:var(--default-mono-font-family,ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace);font-feature-settings:var(--default-mono-font-feature-settings,normal);font-variation-settings:var(--default-mono-font-variation-settings,normal);font-size:1em}small{font-size:80%}sub,sup{vertical-align:baseline;font-size:75%;line-height:0;position:relative}sub{bottom:-.25em}sup{top:-.5em}table{text-indent:0;border-color:inherit;border-collapse:collapse}:-moz-focusring{outline:auto}progress{vertical-align:baseline}summary{display:list-item}ol,ul,menu{list-style:none}img,svg,video,canvas,audio,iframe,embed,object{vertical-align:middle;display:block}img,video{max-width:100%;height:auto}button,input,select,optgroup,textarea{font:inherit;font-feature-settings:inherit;font-variation-settings:inherit;letter-spacing:inherit;color:inherit;opacity:1;background-color:#0000;border-radius:0}::file-selector-button{font:inherit;font-feature-settings:inherit;font-variation-settings:inherit;letter-spacing:inherit;color:inherit;opacity:1;background-color:#0000;border-radius:0}:where(select:is([multiple],[size])) optgroup{font-weight:bolder}:where(select:is([multiple],[size])) optgroup option{padding-inline-start:20px}::file-selector-button{margin-inline-end:4px}::placeholder{opacity:1}@supports (not ((-webkit-appearance:-apple-pay-button))) or (contain-intrinsic-size:1px){::placeholder{color:currentColor}@supports (color:color-mix(in lab, red, red)){::placeholder{color:color-mix(in oklab, currentcolor 50%, transparent)}}}textarea{resize:vertical}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-date-and-time-value{min-height:1lh;text-align:inherit}::-webkit-datetime-edit{display:inline-flex}::-webkit-datetime-edit-fields-wrapper{padding:0}::-webkit-datetime-edit{padding-block:0}::-webkit-datetime-edit-year-field{padding-block:0}::-webkit-datetime-edit-month-field{padding-block:0}::-webkit-datetime-edit-day-field{padding-block:0}::-webkit-datetime-edit-hour-field{padding-block:0}::-webkit-datetime-edit-minute-field{padding-block:0}::-webkit-datetime-edit-second-field{padding-block:0}::-webkit-datetime-edit-millisecond-field{padding-block:0}::-webkit-datetime-edit-meridiem-field{padding-block:0}::-webkit-calendar-picker-indicator{line-height:1}:-moz-ui-invalid{box-shadow:none}button,input:where([type=button],[type=reset],[type=submit]){appearance:button}::file-selector-button{appearance:button}::-webkit-inner-spin-button{height:auto}::-webkit-outer-spin-button{height:auto}[hidden]:where(:not([hidden=until-found])){display:none!important}}@layer components;@layer utilities{.sr-only{clip-path:inset(50%);white-space:nowrap;border-width:0;width:1px;height:1px;margin:-1px;padding:0;position:absolute;overflow:hidden}.absolute{position:absolute}.static{position:static}.container{width:100%}@media (width>=40rem){.container{max-width:40rem}}@media (width>=48rem){.container{max-width:48rem}}@media (width>=64rem){.container{max-width:64rem}}@media (width>=80rem){.container{max-width:80rem}}@media (width>=96rem){.container{max-width:96rem}}.mx-auto{margin-inline:auto}.mt-1{margin-top:calc(var(--spacing) * 1)}.mt-2{margin-top:calc(var(--spacing) * 2)}.mt-3{margin-top:calc(var(--spacing) * 3)}.mt-4{margin-top:calc(var(--spacing) * 4)}.mt-6{margin-top:calc(var(--spacing) * 6)}.mb-6{margin-bottom:calc(var(--spacing) * 6)}.block{display:block}.flex{display:flex}.grid{display:grid}.inline-flex{display:inline-flex}.h-2{height:calc(var(--spacing) * 2)}.h-8{height:calc(var(--spacing) * 8)}.w-2{width:calc(var(--spacing) * 2)}.w-8{width:calc(var(--spacing) * 8)}.w-full{width:100%}.max-w-3xl{max-width:var(--container-3xl)}.cursor-pointer{cursor:pointer}.list-inside{list-style-position:inside}.list-decimal{list-style-type:decimal}.list-disc{list-style-type:disc}.grid-cols-1{grid-template-columns:repeat(1,minmax(0,1fr))}.flex-col{flex-direction:column}.items-center{align-items:center}.justify-between{justify-content:space-between}.justify-center{justify-content:center}.gap-2{gap:calc(var(--spacing) * 2)}.gap-3{gap:calc(var(--spacing) * 3)}:where(.space-y-1>:not(:last-child)){--tw-space-y-reverse:0;margin-block-start:calc(calc(var(--spacing) * 1) * var(--tw-space-y-reverse));margin-block-end:calc(calc(var(--spacing) * 1) * calc(1 - var(--tw-space-y-reverse)))}:where(.space-y-3>:not(:last-child)){--tw-space-y-reverse:0;margin-block-start:calc(calc(var(--spacing) * 3) * var(--tw-space-y-reverse));margin-block-end:calc(calc(var(--spacing) * 3) * calc(1 - var(--tw-space-y-reverse)))}:where(.space-y-4>:not(:last-child)){--tw-space-y-reverse:0;margin-block-start:calc(calc(var(--spacing) * 4) * var(--tw-space-y-reverse));margin-block-end:calc(calc(var(--spacing) * 4) * calc(1 - var(--tw-space-y-reverse)))}:where(.space-y-6>:not(:last-child)){--tw-space-y-reverse:0;margin-block-start:calc(calc(var(--spacing) * 6) * var(--tw-space-y-reverse));margin-block-end:calc(calc(var(--spacing) * 6) * calc(1 - var(--tw-space-y-reverse)))}.rounded{border-radius:.25rem}.rounded-full{border-radius:3.40282e38px}.rounded-lg{border-radius:var(--radius-lg)}.rounded-md{border-radius:var(--radius-md)}.rounded-xl{border-radius:var(--radius-xl)}.border{border-style:var(--tw-border-style);border-width:1px}.border-amber-300{border-color:var(--color-amber-300)}.border-red-300{border-color:var(--color-red-300)}.border-sky-600{border-color:var(--color-sky-600)}.border-slate-200{border-color:var(--color-slate-200)}.border-slate-300{border-color:var(--color-slate-300)}.bg-amber-50{background-color:var(--color-amber-50)}.bg-amber-100{background-color:var(--color-amber-100)}.bg-amber-500{background-color:var(--color-amber-500)}.bg-emerald-500{background-color:var(--color-emerald-500)}.bg-green-50{background-color:var(--color-green-50)}.bg-red-50{background-color:var(--color-red-50)}.bg-red-500{background-color:var(--color-red-500)}.bg-sky-600{background-color:var(--color-sky-600)}.bg-slate-50{background-color:var(--color-slate-50)}.bg-slate-300{background-color:var(--color-slate-300)}.bg-white{background-color:var(--color-white)}.bg-white\/80{background-color:#fffc}@supports (color:color-mix(in lab, red, red)){.bg-white\/80{background-color:color-mix(in oklab, var(--color-white) 80%, transparent)}}.p-2{padding:calc(var(--spacing) * 2)}.p-3{padding:calc(var(--spacing) * 3)}.p-4{padding:calc(var(--spacing) * 4)}.p-5{padding:calc(var(--spacing) * 5)}.px-1{padding-inline:calc(var(--spacing) * 1)}.px-3{padding-inline:calc(var(--spacing) * 3)}.px-4{padding-inline:calc(var(--spacing) * 4)}.px-5{padding-inline:calc(var(--spacing) * 5)}.py-1{padding-block:calc(var(--spacing) * 1)}.py-2{padding-block:calc(var(--spacing) * 2)}.py-3{padding-block:calc(var(--spacing) * 3)}.py-6{padding-block:calc(var(--spacing) * 6)}.text-center{text-align:center}.text-left{text-align:left}.font-mono{font-family:var(--font-mono)}.font-sans{font-family:var(--font-sans)}.text-2xl{font-size:var(--text-2xl);line-height:var(--tw-leading,var(--text-2xl--line-height))}.text-base{font-size:var(--text-base);line-height:var(--tw-leading,var(--text-base--line-height))}.text-lg{font-size:var(--text-lg);line-height:var(--tw-leading,var(--text-lg--line-height))}.text-sm{font-size:var(--text-sm);line-height:var(--tw-leading,var(--text-sm--line-height))}.text-xs{font-size:var(--text-xs);line-height:var(--tw-leading,var(--text-xs--line-height))}.font-medium{--tw-font-weight:var(--font-weight-medium);font-weight:var(--font-weight-medium)}.font-semibold{--tw-font-weight:var(--font-weight-semibold);font-weight:var(--font-weight-semibold)}.tracking-tight{--tw-tracking:var(--tracking-tight);letter-spacing:var(--tracking-tight)}.break-all{word-break:break-all}.text-amber-700{color:var(--color-amber-700)}.text-amber-800{color:var(--color-amber-800)}.text-amber-900{color:var(--color-amber-900)}.text-green-800{color:var(--color-green-800)}.text-red-800{color:var(--color-red-800)}.text-red-900{color:var(--color-red-900)}.text-sky-600{color:var(--color-sky-600)}.text-sky-700{color:var(--color-sky-700)}.text-slate-400{color:var(--color-slate-400)}.text-slate-500{color:var(--color-slate-500)}.text-slate-600{color:var(--color-slate-600)}.text-slate-700{color:var(--color-slate-700)}.text-slate-900{color:var(--color-slate-900)}.text-white{color:var(--color-white)}.italic{font-style:italic}.underline{text-decoration-line:underline}.shadow-sm{--tw-shadow:0 1px 3px 0 var(--tw-shadow-color,#0000001a), 0 1px 2px -1px var(--tw-shadow-color,#0000001a);box-shadow:var(--tw-inset-shadow), var(--tw-inset-ring-shadow), var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow)}@media (hover:hover){.hover\:bg-sky-50:hover{background-color:var(--color-sky-50)}.hover\:bg-sky-700:hover{background-color:var(--color-sky-700)}.hover\:bg-slate-50:hover{background-color:var(--color-slate-50)}}.focus\:border-sky-500:focus{border-color:var(--color-sky-500)}.focus\:ring-2:focus{--tw-ring-shadow:var(--tw-ring-inset,) 0 0 0 calc(2px + var(--tw-ring-offset-width)) var(--tw-ring-color,currentcolor);box-shadow:var(--tw-inset-shadow), var(--tw-inset-ring-shadow), var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow)}.focus\:ring-sky-500:focus{--tw-ring-color:var(--color-sky-500)}.focus\:ring-offset-2:focus{--tw-ring-offset-width:2px;--tw-ring-offset-shadow:var(--tw-ring-inset,) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color)}.focus\:outline-none:focus{--tw-outline-style:none;outline-style:none}.disabled\:cursor-not-allowed:disabled{cursor:not-allowed}.disabled\:bg-slate-300:disabled{background-color:var(--color-slate-300)}.disabled\:opacity-50:disabled{opacity:.5}@media (width>=40rem){.sm\:grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}.sm\:grid-cols-\[10rem_1fr\]{grid-template-columns:10rem 1fr}.sm\:py-10{padding-block:calc(var(--spacing) * 10)}}}@property --tw-space-y-reverse{syntax:"*";inherits:false;initial-value:0}@property --tw-border-style{syntax:"*";inherits:false;initial-value:solid}@property --tw-font-weight{syntax:"*";inherits:false}@property --tw-tracking{syntax:"*";inherits:false}@property --tw-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-shadow-color{syntax:"*";inherits:false}@property --tw-shadow-alpha{syntax:"<percentage>";inherits:false;initial-value:100%}@property --tw-inset-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-inset-shadow-color{syntax:"*";inherits:false}@property --tw-inset-shadow-alpha{syntax:"<percentage>";inherits:false;initial-value:100%}@property --tw-ring-color{syntax:"*";inherits:false}@property --tw-ring-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-inset-ring-color{syntax:"*";inherits:false}@property --tw-inset-ring-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-ring-inset{syntax:"*";inherits:false}@property --tw-ring-offset-width{syntax:"<length>";inherits:false;initial-value:0}@property --tw-ring-offset-color{syntax:"*";inherits:false;initial-value:#fff}@property --tw-ring-offset-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}