You can renew the certificates easily enough.
This is a procedure I documented for myself a while back. Its included in a post on here somewhere:
- Rename the following files in the config/certs/vpn folder to create a backup.
- issued/vpn.mydomain.com.crt
- private/vpn.mydomain.com.key
- reqs/vpn.mydomain.com.req
- index.txt
- Download easy-rsa to a temporary folder and extract it with following command:
$ curl -sL https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz | tar xz --strip-components=1
- Create new certificate:
$ ./easyrsa/easyrsa --pki-dir=“./vpn” --days=730 build-server-full “vpn.mydomain.com” nopass
- Convert certificate and the key-file base64 string:
$ echo "$(cat ./vpn/issued/vpn.mydomain.com.crt)" | base64 --wrap=0 2>/dev/null
$ echo "$(cat ./vpn/private/vpn.mydomain.com.key)" | base64 --wrap=0 2>/dev/null
-
Replace the values of the keys OPENBALENA_VPN_SERVER_CRT and OPENBALENA_VPN_SERVER_KEY in config/activate with base64 encoded values from step 4.
-
Restart open balena and recreate services.
$ ./scripts/compose up -d --force-recreate --no-deps
No warranty provided obviously but I have done this a couple of time and not had any impacts on fleet devices.
EDIT: I think this works in pepertuality provided you always generate the new certificates with the same CA. This because the devices have the CA set in their config.json file to trust. You could of course change the CA in the config.json of all fleet devices if you really had to using a script. Theres an example of how to bulk edit config.json of fleet devices on the balena GitHub. Would avoid that unless truly necessary.
Cheers
Dashals