The self-signed certificates are rather tiresome, for several reasons:
Extra work to make sure the certificate is trusted in all the right places. (Node, System, etc.)
Security risk. I’m installing openBalena on a client server, but for convenience I would like to have balena cli running on my laptop. This client has rather lousy security practices, so it’s quite likely that the https connections.
Open issues. Many of us are experiencing deploy errors which are caused by the untrusted certificate. (1, 2, 3)
Would the maintainers be open to a PR replacing the haproxy load balancer with caddy web server which automatically configures HTTPS using lets encrypt?
We appreciate that it is not ideal to only have self-signed certificates officially supported in openBalena. We are working in the background on a HAproxy-based container which would allow this autogeneration via an ACMEv2 provider, but it isn’t available at this time.
Thanks for the offer of contributing to the project; generally we are very open to PRs from the community for openBalena and any PRs will be responded to. I am not sure moving to Caddy would be desirable in this instance, since the issue you would find here is that port 443 is not being used exclusively for HTTPS/TLS traffic; it is also being split off for the VPN traffic which requires certain introspection, which I don’t think is supported in Caddy.
I have PR’d a solution to the LetsEncrypt certificate requirement. It will need to go through review, but if you’re interested in taking a look you can find the PR here: https://github.com/balena-io/open-balena/pull/38
We may still make changes to this, so please don’t consider it to be final; I plan to make a post about how to utilise the changes once they are approved and merged.
