Automatic HTTPS with lets-encrypt?

The self-signed certificates are rather tiresome, for several reasons:

  • Extra work to make sure the certificate is trusted in all the right places. (Node, System, etc.)
  • Security risk. I’m installing openBalena on a client server, but for convenience I would like to have balena cli running on my laptop. This client has rather lousy security practices, so it’s quite likely that the https connections.
  • Open issues. Many of us are experiencing deploy errors which are caused by the untrusted certificate. (1, 2, 3)

Would the maintainers be open to a PR replacing the haproxy load balancer with caddy web server which automatically configures HTTPS using lets encrypt?


We appreciate that it is not ideal to only have self-signed certificates officially supported in openBalena. We are working in the background on a HAproxy-based container which would allow this autogeneration via an ACMEv2 provider, but it isn’t available at this time.

Thanks for the offer of contributing to the project; generally we are very open to PRs from the community for openBalena and any PRs will be responded to. I am not sure moving to Caddy would be desirable in this instance, since the issue you would find here is that port 443 is not being used exclusively for HTTPS/TLS traffic; it is also being split off for the VPN traffic which requires certain introspection, which I don’t think is supported in Caddy.

I don’t completely understand, but I’m glad to hear you appreciate the problem and are working on a solution. :+1:

I think Caddy and Haproxy could be used together. Haproxy would split off the VPN traffic but Caddy would handle the HTTPS routing.

I have PR’d a solution to the LetsEncrypt certificate requirement. It will need to go through review, but if you’re interested in taking a look you can find the PR here:

We may still make changes to this, so please don’t consider it to be final; I plan to make a post about how to utilise the changes once they are approved and merged.

1 Like

Awesome! Thanks for working on that.