I have created a node-red dashboard using a template node that is able to scan a QR code.
When I access the dashboard in chrome from my iphone (connected to the same LAN) and clicking on button "Request Camera Permissions" it gives the error "unable to query supported devices" (see screenshot).
The problem is that for mobile devices it seems that browsers are not allowed to access the camera for http sites.
I was able to fix this problem by accessing the dashboard via an https site as follows:
setup https access to my node-red using traefik (reverse proxy) but the https certificate stuff only works if the URL is a public URL. (so a LAN ). So for this I had to
Create a public domain name that routes to my home router
open port 443 on my home router and map them to my traefik service.
Is there actually an easier way to get access to my camera on a mobile device (connected to the same home LAN) without requiring me to open my home network (steps 2 and 3) ?
You need a trusted CA cert to sign a cert for what ever is hosting the dashboard.
Use letsencrypt with the DNS challenge to issue a certificate for a hostname. The DNS can return a private IP address so even though the hostname is public access to the machine will not be. This is complicated to do without hosting your own DNS server (it may be possible with DNS hosting services that have APIs, but they may not let you assign RFC1918 IP addresses to public hostnames)
Install a custom profile on the iPhone that contains a private CA certificate that you use to sign the a certificate for the dashboard host.
Regarding option 1: DNS is returning a private IP address for an existing public
My home modem is pretty locked. up I have only a user password for it (not an admin) and have no way to configure its DNS server or specify which DNS server IP address the DHCP server should return.
... and of course if I could do this: I admit that it is a bit too complicated setup for me for just being able to access my camera
Regarding option 2: using private CA
For me the biggest issue with this is that a custom profile containing private CA needs to be installed on all mobile devices (which is not a fixed list) that I want to access the dashboard .
... maybe I need to check if there is an easy way to do this (e.g. by downloading it from a site that is also provisioned by node-red).
Option 1:
It's not a case of which DNS server your network (probably supplied by your router) uses to look up IP addresses, it's a case of needing access to the DNS that hosts a domain you own.
Option 2:
I would be very surprised if Apple don't insist on any site serving up a profile would have to also be over a trusted HTTPS connection, which is a chicken/egg problem
Option 1 is maybe not that complicated. So, I need to look for a free dynamic DNS provider that allows me to specify a private IP address for a public hostname.
Dyn-DNS will not work for using DNS-01 Letsencrypt challenges, you need a to buy a domain and have it hosted somewhere that will let you create TXT records via an API
https://www.changeip.com/ allows me to specify a private IP address for a public hostname without a cost
... but I cannot create TXT records - is it really needed that a TXT record must be created ?
Yes, you need to be able to create a TXT record to use the DNS-01 challenge to get a letsencrypt certificate.
Otherwise you have to use the HTTP-01 challenge, but this requires you to open up the host to the internet which was the point you were trying to avoid.
Just tested my above change (= using private IP address 192.168.1.31 instead of my public IP address of my home modem) and accessing dashboard via https is working from my macbook but not from my iphone (ERR_NAME_NOT_RESOLVED) also http access from iphone was not working with same error.
It seems that my iphone is not accepting that a public hostname is resolved to private IP address.
I now you are not looking for this but I use this alot and maybe it can help you too
with using siri shortcuts you can scan and get scanned code with http get node
here is the shortcuts flow
Yes, the node-red dashboard opened on your iphone (I guess same for android phone) is not allowed to access its camera for a http site. The site you are accessing must be secure (https) if you want to access your camera.
It is not easy but with a reverse proxy, using a free public hostname, some router (= your home modem that is connecting to the internet) mapping you can secure acces (= https) to the node-red UI.
Just checked it for http://cert.n4l.co.nz/ and I could download this CA using my safari browser on my iphone which I then can install (I didn't do that) via my iphones settings menu as is also described on that site.
Does Apple even allow installing private root CA certs? It's a hassle even on Android, if you haven't rooted your phone.
I have been using my own root CA for my intranet stuff for ages, but I also run an internal DNS server for my own private top-level domain. So no external services are required. The root CA is installed on all devices, works like a charm.
If you want to manage your own root CA, I can recommend XCA.
I didn't go as far as actually installing the root CA but the instructions on http://cert.n4l.co.nz/ seem to be working fine. It also describes the instructions for installing the CA for android device (no need to root it).
I know that you can install it into the user's root certificate store on Android, but that has implications. It forces you to setup a lock screen with pin or password on most devices. For tablets/phones solely used at home for control/dashboard purposes, this is annoying.
And on restrictive devices like Amazon Fire Tabs it doesn't seem to be working reliably at all. But that is another story.
just added the addres as an insecure origin on the device and its workin now... i know it is not the best way tio go, but i preffer to skip the security on the device so, i can finish the other features that i am workin on, and take care of the ssl cert in the future
