#Where to place proxy.crt and proxy.key, rmfakecloud manual device setup

I've been trying to set up rmfakecloud manually without a proxy, but I don't know where I should place proxy.crt and proxy.key. It only explains what directory to place ca.crt in.
https://ddvk.github.io/rmfakecloud/remarkable/setup/#modify-device-etchosts

What are you using for a proxy? You shouldn’t need any of the actual end certs or keys on device, just the ca cert.

I thought I could skip a proxy and just edit the /etc/hosts file

You need a proxy somewhere

Doesn’t have to be on-device, but it has to be somewhere

At least.. I think you do

If you setup the device to trust the cert you don't need the proxy

Will rmfakecloud just respond to all the traffic that gets sent its way?

You’ll at least need rmfakecloud listening on 443 directly

Yes

exactly

This is a linux device, you'll need to just place it in the standard location for ca-trust

adn then call update-ca-trust extract I believe

so proxy.crt and proxy.key are just steps to get ca.crt and are therefore not needed?

a ca certificate is used to generate the actual certificate used by the server

So it's the opposite, you need the ca.crt to generate proxy.crt and proxy.key

And then those two go on rmfakecloud

In which dir should I place them?

What steps are you following to setup rmfakecloud's server?

These https://ddvk.github.io/rmfakecloud/remarkable/setup/#modify-device-etchosts

That's not the server

That's the device

Have you setup the rmfakecloud server anywhere yet?

docker

well, in my case podman using the docker image

localhost:3000

Set the TLS_CERT and TLS_KEY environment variables to point to where you bind mount the files

And localhost will not work from your rM, you'll have to provide the ip address it can reach your machine at

and port 3000 will also not work

it'll need to be port 443

Unless you put a proxy in front of it, in which case, ignore the TLS_CERT and TLS_KEY environment variables and setup the proxy's certificate

Can't I specify the port in the /etc/hosts file on the rm?

No

Hosts is just DNS

The hosts file format is <ip> <hostname> [<hostname>...]

so my rmfakecloud container should have a different ip if I didn't want to have it using my computer's 443 port

Another reason proxies are nice. They let you overload ip addressss cause they look at the host headers

Do you generate the key and certs on the host or on the device?

Wherever you’ve got OpenSSL

The place you generate them doesn’t matter

The rM never needs to know about the end cert/key

The ca.crt is only needed for the client apps and the device if I'm correct

Yep, cause it’ll say “I made rmfakecloud’s cert and you trust me”

Well more accurately, rmfakecloud’s cert is will say “I was made by ca.crt” and your device trusts the ca.crt

Is this all right?

root@reMarkable:~# update-ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

I got a warning about skipping

Looks good to me

I got worried about the skipping part. Also, according to the documentation I have now to add the env variable STORAGE_URL=https://local.appspot.com to the server. Does the URL need to point to something specific or do I just add it as is? I changed the TLS_CERT and TLS_KEY environment variables to point to my respective files

I believe it defaults to that

It seems that I did not the set the variables right. I can't run the server with

TLS_KEY=/path-to-file/proxy.key
TLS_CERT=/path-to-file/proxy.crt
STORAGE_URL=https://local.appspot.com

as my env variables

What error do you get?

it happens whenever I add the env variables

but these logs aren't descriptive. I get the container removed right after it is stopped, so I can't check podman logs rmfakecloud

if I mount my fails at /something/data, do I have to use the variables as

TLS_CERT=/something/data/proxy.cert
TLS_KEY=/something/data/proxy.key

?

Yes

It's the path inside the container

inside the container?
Like /something/data:/data
the one on the right?

The one on the right

the container cannot access the host system, so where it is on the host system is not the value to use in the env variable

you need the path that the container can access

Now it works. But just with http, I thought this setup guaranteed https

I'm not sure I understand, xochitl will use https to connect

Have you exposed the 8883 port

I guess that's the MQTT port, not https

Yeah that’s mqtt for screenshare

As this setup isn't one that's actually documented, I'm taking a look at the source to see if it's actually going to server https

I had to swap my ingress backend protocol to https when I setup mqtt since mqtt/https use the same cert

That's what I thought

I do see tls configuration being setup for the certificate

and it would then start a https server instead of a http server

@idle island What does the rmfakecloud logs say when it is starting up?

I'm not seeing the startup logs here, just randomly in the middle

Oh wait, I misread

Yeah it also leaked some things you don't want to leak

It's not loading the certificate though

I restarted everything

podman logs rmfakecloud
time="2025-12-12T23:17:04Z" level=warning msg="The authentication will fail the next time you start the server!"
time="2025-12-12T23:17:04Z" level=warning msg="JWT_SECRET_KEY was not set! The following was autogenerated"
time="2025-12-12T23:17:04Z" level=warning msg="JWT_SECRET_KEY=nothing"
time="2025-12-12T23:17:04Z" level=warning msg="RM_HTTPS_COOKIE is not set, use only when not using https!"
time="2025-12-12T23:17:04Z" level=warning msg="smtp not configured, no emails will be sent"
time="2025-12-12T23:17:04Z" level=info msg="if you want HWR, provide the myScript applicationKey in: RMAPI_HWR_APPLICATIONKEY"
time="2025-12-12T23:17:04Z" level=info msg="provide the myScript hmac in: RMAPI_HWR_HMAC"
time="2025-12-12T23:17:04Z" level=info msg="Version: v0.0.26"
time="2025-12-12T23:17:04Z" level=info msg="Data: /data"
time="2025-12-12T23:17:04Z" level=info msg="Listening on port: 3000"
time="2025-12-12T23:17:04Z" level=info msg="Using plain HTTP"

So it's using plain HTTP instead of HTTPS

You'll want to remove the secrets from that log

maybe because I didn't change the port yet?

There is no TLS certificates configured line

Port wouldn't matter here

it's not loading the TLS certificate

Go check to make sure that you can find and read the files inside the containers at the paths you specified

Kinda tough with this container cause it’s from scratch

so I think it is because I forgot to add the STORAGE_URL variable, now it works

firefox doesn't trust this much though

Firefox may not use the system cert store, I can’t remember

You need to add the ca cert to Firefox’s trusted root cert store

root@reMarkable:~# mkdir -p /usr/local/share/ca-certificates
root@reMarkable:~# update-ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@reMarkable:~# cat /etc/hosts
127.0.0.1    localhost

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 reMarkable

# rmfakecloud
192.168.1.135 hwr-production-dot-remarkable-production.appspot.com
192.168.1.135 service-manager-production-dot-remarkable-production.appspot.com
192.168.1.135 local.appspot.com
192.168.1.135 my.remarkable.com
192.168.1.135 ping.remarkable.com
192.168.1.135 internal.cloud.remarkable.com
192.168.1.135 eu.tectonic.remarkable.com
192.168.1.135 backtrace-proxy.cloud.remarkable.engineering
192.168.1.135 dev.ping.remarkable.com
192.168.1.135 dev.tectonic.remarkable.com
192.168.1.135 dev.internal.cloud.remarkable.com
192.168.1.135 eu.internal.tctn.cloud.remarkable.com


root@reMarkable:~# ping  my.remarkable.com
PING my.remarkable.com (192.168.1.135): 56 data bytes
64 bytes from 192.168.1.135: seq=0 ttl=64 time=3.643 ms
64 bytes from 192.168.1.135: seq=1 ttl=64 time=6.884 ms
64 bytes from 192.168.1.135: seq=2 ttl=64 time=6.868 ms
64 bytes from 192.168.1.135: seq=3 ttl=64 time=6.539 ms
64 bytes from 192.168.1.135: seq=4 ttl=64 time=6.658 ms
64 bytes from 192.168.1.135: seq=5 ttl=64 time=6.885 ms
64 bytes from 192.168.1.135: seq=6 ttl=64 time=6.710 ms
^C
--- my.remarkable.com ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 3.643/6.312/6.885 ms
root@reMarkable:~# ls /usr/local/share/ca-certificates
ca.crt

I tried syncing, but it didn't work. I added the ca.crt file via sftp in case you wonder why it doesn't seem like I have placed it.

And your container is reachable on 443 now?

oh, my bad

when I change the host port to 443, like 443:3000, it fails. I saw in the documentation that there was an env variable to change the port, I don't know if that might have to do

Changing the port bound on the host is enough

if you change the port that it hosts on internally, you have to change which port you bind on

What is the failure you encounter when you rebound the port? Was it failing to start the container, or was it just still failing to connect the device to rmfakecloud

to start the container

Depending on your OS, you might have to fiddle with stuff to bind to privileged ports (under 1024)

I'm on Fedora Workstation 43

rootful podman?

Failed to bind port 443 (Permission denied) for option '-t 443-443:3000-3000'

I found that line

rootless

Probably your best bet would be to still bind to port 3000, and redirect the 443 port to it with firewalld

sudo firewall-cmd --direct --add-rule ipv4 nat OUTPUT 0 -p tcp --dport=443 -o lo -j REDIRECT --to-port=3000

I added that rule and the equivalent for ipv6, too, but it is still not working

I mean

the sync

container is running fine and reachable from the browser

on both 3000 and 443 ports

is it reachable by another machine too?

3000 port is reachable but not 443 from another machine's browser on my LAN

That would probably be why

You probably need to add another rule to allow it with your firewall

Oh

The command I gave you does seem to bind just to lo

I don't know enough about firewall-cmd to know offhand the syntax to know if -o lo is just for the target interface or the source

I lowered the unprivileged port number so I can bind to 443 directly just for testing

I still can't sync somehow

and I am running the container in port 443

and it is reachable from other devices' browsers

Do I have to reboot the reMarkable or something?

What OS version?

3.24

Try adding webapp-prod.cloud.remarkable.engineering to /etc/hosts

Although you might be encountering https://github.com/ddvk/rmfakecloud/issues/408

Assuming the issue is that 3.24.0 syncing is broken

different message

now that I added that line

"The connection to our servers is not secure. Please try again, or connect to a different Wi-Fi."

I thought I had added the ca.crt?

Did you ever validate it?

I ran this update-ca-certificates. Is that what you mean by "validate"?

No

I meant validate that it was added

and working

How should I do it?

openssl verify cert.pem will verify if the pem file was created with a trusted ca

Do I run that from the same dir as my ca.cert?

No

Your ca is installed in the system

you are checking to see if the system trusts the ca or not

root@reMarkable:~# openssl verify cert.pem 
Could not open file or uri for loading certificate file from cert.pem: No such file or directory

cert.pem needs to exist

so use the path to cert.pem

I guess you've actually called it proxy.cert?

yes

no

ca.crt

for the one on the device

No, that's a different thing

the certificate authority (ca) is the key used to generate the certificate used by the server

You are validating that your device trusts the certificate used by the server, because you've installed the ca to your device as a trusted certificate

I have proxy.crt on my server

Okay, you need the public certificate on your device so you can check to see if it's trusted

Where do I add it?

any folder?

Yes, any folder. I recommend in /tmp or /home as you will be removing it after you are done

I have both proxy.crt and ca.crt on my server, in case I can also verify from there

You can't verify from your server

Your server is not your device, which is what you are verifying

/home/root/ ?

Any folder

not working yet

same message

That would be because the file you copied accross is not named cert.pem

change the command to use the path to the file

root@reMarkable:~# openssl verify proxy.crt
proxy.crt: OK

It's trusted

You can remove the file from your device now

Is this from the logs, or from the UI?

UI

Does the logs give you any other information

what command for rm's logs?

journalctl -fau xochitl will follow the main application's logs

journalctl -fau rm-sync for the sync engine

It does give more information

oh, I think I must generate the cert again while adding that line to the config

What line?

I'm seeing the correct subjects

The issuer certificate of a locally looked up certificate could not be found

Something about the certificate setup is incorrect

when making the cert, I had a file created by this command

cat <<EOF > csr.conf
[ req ]
default_bits = 2048
default_keyfile = proxy.key
encrypt_key = no
default_md = sha256
prompt = no
utf8 = yes
distinguished_name = dn
req_extensions = ext
x509_extensions = caext

[ dn ]
C = AA
ST = QQ
L = JJ
O  = the culture
CN = *.appspot.com

[ ext ]
subjectAltName=@san
basicConstraints=CA:FALSE
subjectKeyIdentifier = hash


[ caext ]
subjectAltName=@san

[ san ]
DNS.1 = *.appspot.com
DNS.2 = *.remarkable.com
DNS.3 = *.cloud.remarkable.com
DNS.4 = *.cloud.remarkable.engineering
DNS.5 = *.rmfakecloud.localhost
DNS.6 = *.internal.cloud.remarkable.com
DNS.7 = *.tectonic.remarkable.com
DNS.8 = *.ping.remarkable.com
DNS.9 = *.internal.tctn.cloud.remarkable.com
EOF

I'm thinking of adding another entry for DNS.10 and the line for web...
But I just realised that DNS.4 must emcompass that

Is that for the place of ca.crt?

That's the error message from the logs you posted

Is the ca.crt the same one that you used to generate the certificate used by rmfakecloud?

yes

and you've placed it in /usr/local/share/ca-certificates on the device?

I see logs of you running update-ca-certificates, but not of it being put into the folder

it is in the folder

I placed it with nautilus via sftp

has xochitl been restarted since you've done this?

I don't think so

I don't think it's required, but still good to test

alright, restart it: systemctl restart xochitl

maybe rm-sync too

nice

it synced

I wonder whether I'll have the same problems as the other github issue

If you do, please add a comment to the issue

I don't seem to have issues syncing at least by adding new documents. I even restarted the device to check.

Added another document and still no issues

Do I add a reply to that GitHub issue so people have an easier time reproducing the mistake? I suppose it might be their rmfakecloud's version

Probably best to leave it for now

I'm still waiting on their next reply

How do I check my rmfakecloud's version?

I blocked the pull, so I don't know if I'm running 0.0.27 or 0.0.26

Compare the image id

Given that now a new line is needed for the hosts, that github issue might be what your pull request is after

The user in the issue does have the new line in the hosts file though

So I'm not sure

this is my image ID: 379734319d78. What do I compare it against?

The one in dockerhub

It says 6 weeks old so I assume it is older than 0.0.27.

is it the sha thing?

That's the digest

Where is the ID?

I guess it's not visible, you can check your digest then instead

it's 3am so I will not be responding while I'm asleep