Added BigBearCasaOS Installer to BigBearScripts

How to Fix SSL Certificate Issues in CasaOS Installer

SSL certificate issues can be frustrating when trying to install software packages. In this guide, I’ll share a solution for working around SSL certificate problems in the CasaOS installer without completely compromising security. Plus, the installer now includes smarter Docker checks, more reliable IP address detection, and several improvements over the official installer.

The Problem

When installing CasaOS, you might encounter errors like:

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it.

This typically happens when:

  1. The certificate for get.casaos.io has expired
  2. Your system’s CA certificates are outdated
  3. There’s an issue with your network configuration

The Smart Solution

Rather than completely disabling SSL verification (which would be a security risk), I’ve created a smarter approach that:

  • Automatically checks if the get.casaos.io certificate is valid in your environment
  • Only bypasses verification for problematic domains if necessary
  • Uses the official installer when possible, falling back to direct downloads when needed
  • Detects Docker installed via Snap and lets you remove it safely
  • Shows all valid IP addresses for accessing CasaOS, even on systems with multiple network interfaces

The Modified Installer

My modified installer script:

  1. Tests certificate validity before proceeding
  2. Only shows security warnings when certificate issues are detected
  3. Uses a targeted approach to SSL bypass, only disabling verification where needed
  4. Falls back to direct downloads for Rclone when certificates are problematic
  5. Detects if Docker is installed with Snap, and prompts you to remove it with your confirmation before proceeding. This prevents conflicts and ensures CasaOS can use Docker reliably.
  6. Uses a more robust method to detect your system’s IP addresses, scanning all physical network interfaces and filtering out irrelevant or loopback addresses. This helps you find the correct address to access your CasaOS dashboard, even in complex network setups.

How to Use It

  1. Run the installer:
    bash -c "$(wget -qLO - https://raw.githubusercontent.com/bigbeartechworld/big-bear-scripts/master/install-casaos/run.sh)"
    

The script will automatically detect if you have certificate issues and handle them appropriately. If your certificates are valid, it will use the standard secure installation method. If certificate issues are detected, you’ll be prompted with a security warning before proceeding with the modified installation path.

If Docker is detected as installed via Snap, you’ll see a prompt like:

Docker is installed via Snap, which can cause issues with CasaOS.
Would you like to uninstall the Snap version of Docker and install the official Docker package instead?
[Yes/No]

If you choose “Yes,” the script will safely remove the Snap package and proceed with the recommended installation.

After installation, the script will output all valid IP addresses for accessing CasaOS, for example:

- http://192.168.1.100 (eth0)
- http://192.168.1.101 (wlan0)

BigBearCasaOS Installer vs. CasaOS Installer

Here’s how the BigBearCasaOS Installer differs from the official CasaOS Installer:

Feature/Behavior CasaOS Installer (Official) BigBearCasaOS Installer (BigBearTechWorld)
SSL Certificate Handling Fails if SSL cert (e.g., get.casaos.io) is expired or invalid; no built-in bypass Detects cert validity; only bypasses SSL verification when strictly needed
User Warnings for SSL Bypass No warnings or user consent; fails on cert errors Warns user, requests explicit consent before bypassing SSL
Docker Snap Detection No detection; may fail or conflict if Docker installed via Snap Detects Docker Snap; prompts user to remove Snap-based Docker safely
Docker Installation Installs Docker if missing, but does not handle Snap conflicts Installs official Docker, ensures Snap version is removed if user agrees
Rclone Installation Downloads Rclone via CasaOS mirrors (which may fail if SSL is broken) Falls back to direct Rclone download with SSL bypass if needed
IP Address Detection Tries to show system IP, but may miss interfaces or show only one IP Scans all physical interfaces, filters out loopback/IPv6, shows all valid IPs
Country/Region Detection Uses curl to ipconfig.io/ifconfig.io, but fails if SSL is broken Uses curl with SSL bypass if needed, improving reliability
Dependency Installation Installs required packages Same, but with improved error handling and feedback
User Interaction Minimal, mostly non-interactive More interactive: asks for confirmation on key actions (e.g., Docker removal)
Security Approach Fails hard on SSL errors or expects user to run with -k (insecure) Secure by default; only disables SSL checks per-domain and with user consent
Community Support Maintained by IceWhaleTech Maintained by BigBearTechWorld; community-driven additions and fixes

Notable Enhancements in BigBearCasaOS Installer

  • Smart SSL Handling:
    Automatically detects SSL certificate issues and only disables verification for specific, problematic domains. Users are warned and must confirm before proceeding insecurely.

  • Docker Snap Conflict Resolution:
    If Docker is installed via Snap (which can cause permission and compatibility issues), the installer detects this and offers to uninstall the Snap version, then installs the official Docker package for maximum compatibility.

  • Reliable IP Address Display:
    At the end of installation, the script enumerates all valid IPv4 addresses across physical network interfaces, ensuring users know exactly how to access their CasaOS instance-even on complex or multi-interface systems.

  • Improved User Experience:
    More robust prompts and feedback throughout the install process, with clear guidance and error messages.

  • Fallbacks for Key Components:
    If official mirrors or SSL fail, the installer uses alternative download methods, ensuring installation completes even during upstream outages or certificate lapses.


Security Considerations

This approach is much safer than simply disabling SSL verification for all downloads because:

  • It only disables verification when absolutely necessary
  • It only affects specific problematic domains
  • It warns users when certificate bypassing is needed
  • It requires explicit consent before proceeding with bypassing
  • It prevents Docker Snap conflicts by asking before uninstalling
  • It avoids confusion by reliably listing all network access points

Technical Details

For those interested in the technical aspects, the script:

  • Uses curl to test if the get.casaos.io certificate validates
  • Sets a NEED_SSL_BYPASS flag based on test results
  • Conditionally adds --no-check-certificate to wget commands and -k to curl commands only when needed
  • Has a fallback direct-download method for Rclone that doesn’t rely on the installer script
  • Checks for Docker installed via Snap and prompts for removal
  • Enumerates all physical network interfaces to display all valid IPv4 addresses

Conclusion

This approach solves SSL certificate issues while maintaining security best practices. Rather than a blanket disabling of certificate verification, it uses targeted bypassing only when necessary, and only for specific domains known to have certificate issues. The script also prevents Docker Snap conflicts and ensures you can find the correct IP address for your CasaOS dashboard.

Feel free to examine the script before running it.


If you found this helpful, consider supporting me at Ko-fi.

1 Like