How to Fix SSL Certificate Issues in CasaOS Installer
SSL certificate issues can be frustrating when trying to install software packages. In this guide, I’ll share a solution for working around SSL certificate problems in the CasaOS installer without completely compromising security. Plus, the installer now includes smarter Docker checks, more reliable IP address detection, and several improvements over the official installer.
The Problem
When installing CasaOS, you might encounter errors like:
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it.
This typically happens when:
- The certificate for get.casaos.io has expired
- Your system’s CA certificates are outdated
- There’s an issue with your network configuration
The Smart Solution
Rather than completely disabling SSL verification (which would be a security risk), I’ve created a smarter approach that:
- Automatically checks if the get.casaos.io certificate is valid in your environment
- Only bypasses verification for problematic domains if necessary
- Uses the official installer when possible, falling back to direct downloads when needed
- Detects Docker installed via Snap and lets you remove it safely
- Shows all valid IP addresses for accessing CasaOS, even on systems with multiple network interfaces
The Modified Installer
My modified installer script:
- Tests certificate validity before proceeding
- Only shows security warnings when certificate issues are detected
- Uses a targeted approach to SSL bypass, only disabling verification where needed
- Falls back to direct downloads for Rclone when certificates are problematic
- Detects if Docker is installed with Snap, and prompts you to remove it with your confirmation before proceeding. This prevents conflicts and ensures CasaOS can use Docker reliably.
- Uses a more robust method to detect your system’s IP addresses, scanning all physical network interfaces and filtering out irrelevant or loopback addresses. This helps you find the correct address to access your CasaOS dashboard, even in complex network setups.
How to Use It
- Run the installer:
bash -c "$(wget -qLO - https://raw.githubusercontent.com/bigbeartechworld/big-bear-scripts/master/install-casaos/run.sh)"
The script will automatically detect if you have certificate issues and handle them appropriately. If your certificates are valid, it will use the standard secure installation method. If certificate issues are detected, you’ll be prompted with a security warning before proceeding with the modified installation path.
If Docker is detected as installed via Snap, you’ll see a prompt like:
Docker is installed via Snap, which can cause issues with CasaOS.
Would you like to uninstall the Snap version of Docker and install the official Docker package instead?
[Yes/No]
If you choose “Yes,” the script will safely remove the Snap package and proceed with the recommended installation.
After installation, the script will output all valid IP addresses for accessing CasaOS, for example:
- http://192.168.1.100 (eth0)
- http://192.168.1.101 (wlan0)
BigBearCasaOS Installer vs. CasaOS Installer
Here’s how the BigBearCasaOS Installer differs from the official CasaOS Installer:
Feature/Behavior | CasaOS Installer (Official) | BigBearCasaOS Installer (BigBearTechWorld) |
---|---|---|
SSL Certificate Handling | Fails if SSL cert (e.g., get.casaos.io) is expired or invalid; no built-in bypass | Detects cert validity; only bypasses SSL verification when strictly needed |
User Warnings for SSL Bypass | No warnings or user consent; fails on cert errors | Warns user, requests explicit consent before bypassing SSL |
Docker Snap Detection | No detection; may fail or conflict if Docker installed via Snap | Detects Docker Snap; prompts user to remove Snap-based Docker safely |
Docker Installation | Installs Docker if missing, but does not handle Snap conflicts | Installs official Docker, ensures Snap version is removed if user agrees |
Rclone Installation | Downloads Rclone via CasaOS mirrors (which may fail if SSL is broken) | Falls back to direct Rclone download with SSL bypass if needed |
IP Address Detection | Tries to show system IP, but may miss interfaces or show only one IP | Scans all physical interfaces, filters out loopback/IPv6, shows all valid IPs |
Country/Region Detection | Uses curl to ipconfig.io/ifconfig.io, but fails if SSL is broken | Uses curl with SSL bypass if needed, improving reliability |
Dependency Installation | Installs required packages | Same, but with improved error handling and feedback |
User Interaction | Minimal, mostly non-interactive | More interactive: asks for confirmation on key actions (e.g., Docker removal) |
Security Approach | Fails hard on SSL errors or expects user to run with -k (insecure) |
Secure by default; only disables SSL checks per-domain and with user consent |
Community Support | Maintained by IceWhaleTech | Maintained by BigBearTechWorld; community-driven additions and fixes |
Notable Enhancements in BigBearCasaOS Installer
-
Smart SSL Handling:
Automatically detects SSL certificate issues and only disables verification for specific, problematic domains. Users are warned and must confirm before proceeding insecurely. -
Docker Snap Conflict Resolution:
If Docker is installed via Snap (which can cause permission and compatibility issues), the installer detects this and offers to uninstall the Snap version, then installs the official Docker package for maximum compatibility. -
Reliable IP Address Display:
At the end of installation, the script enumerates all valid IPv4 addresses across physical network interfaces, ensuring users know exactly how to access their CasaOS instance-even on complex or multi-interface systems. -
Improved User Experience:
More robust prompts and feedback throughout the install process, with clear guidance and error messages. -
Fallbacks for Key Components:
If official mirrors or SSL fail, the installer uses alternative download methods, ensuring installation completes even during upstream outages or certificate lapses.
Security Considerations
This approach is much safer than simply disabling SSL verification for all downloads because:
- It only disables verification when absolutely necessary
- It only affects specific problematic domains
- It warns users when certificate bypassing is needed
- It requires explicit consent before proceeding with bypassing
- It prevents Docker Snap conflicts by asking before uninstalling
- It avoids confusion by reliably listing all network access points
Technical Details
For those interested in the technical aspects, the script:
- Uses curl to test if the get.casaos.io certificate validates
- Sets a
NEED_SSL_BYPASS
flag based on test results - Conditionally adds
--no-check-certificate
to wget commands and-k
to curl commands only when needed - Has a fallback direct-download method for Rclone that doesn’t rely on the installer script
- Checks for Docker installed via Snap and prompts for removal
- Enumerates all physical network interfaces to display all valid IPv4 addresses
Conclusion
This approach solves SSL certificate issues while maintaining security best practices. Rather than a blanket disabling of certificate verification, it uses targeted bypassing only when necessary, and only for specific domains known to have certificate issues. The script also prevents Docker Snap conflicts and ensures you can find the correct IP address for your CasaOS dashboard.
Feel free to examine the script before running it.
If you found this helpful, consider supporting me at Ko-fi.