Ssl – Trusted SSL in internal network without internet access

I have a Raspberry PI 3 as router for WiFi network.
It can be without internet access.
I am running backend for android/iOS app on this raspberry.
I want to have frontend connected through SSL to exclude any spying from other people connected to this wifi.

Issues:

Android/iOS don't let me connect to ssl with self-signed certificate.
I can solve it by creating my own CA and load it to the phones, but every person who wants to use my app would have to download CA and load it.(That's kinda frustrating…)
It can be probably fixed by buying a certificate( or using LE, but it can be failing sometimes, because I will be deploying thousands of raspberries…hard to manage it then).
I don't have domain for that raspberry. I can add it to my DNS server, but it would be unreachable without internet connection.
So I can make DNS server on raspberry with bind9 to collect other entries except my domain.

Is it so extremely hard? There is no easier approach?
Something like WiFi with SSL?

Best Answer

You have two options:

roll your own CA
get a domain and get certificates (i.e. from letsencrypt) for subdomains, which have A on the internet pointing to an online server and A records pointing to lan devices on your LAN dns. Then copy the certificates from your internet server. You may be able to use global A-records with LAN ips, when you use the letsencrypt dns-01 method, but i did not test this.

Best Answer

Related Solutions

WiFi access point without internet access – iOS devices disconnect

Windows – Clients unable to access certain websites, pages half loading, intermittent internet