Using real (not self-signed) certificates


#1

Thanks for providing openBalena, it’s a great addition to the family!

We’re having a few issues which I think mostly stem from the use of the self-signed certificates. I’m wondering if we need to use self-signed in the first place, or if we can use real ones, if so, where do we put them? I can see files in ~/open-balena/config/certs/api which look relevant.

I was thinking of using certbot (certonly) as we use cloudflare for DNS so can easily handle the auth side of generating certificates from Let’s Encrypt.

Is it going to be fairly simple to swap out for real certificates or is this not a good idea?

Again, thanks for the great products :slight_smile:


#2

Hi @violuke

Firstly, thanks for trying out openBalena and providing us with your feedback; it’s great to see people starting to use it and getting excited about it.

The cert generation and usage can be tricky in openBalena so I would recommend the following:

  • unbind the ports 80 and 443 from haproxy container to the host.
  • add a new service in the compose file using “Caddy” which will host-bind on 80 and 443. I used this one https://github.com/abiosoft/caddy-docker.
  • configure the Caddy container to use TLS, listen for requests to *.your-domain.here, and use “haproxy:80” as the backend.
  • re-start the stack.

Caddy is a web server which will go off to LetsEncrypt and do the cert management for you; so no need to mess with the certs in openBalena. It can be tricky to setup if you’re new to containers, but I am hoping to make some tools & guides available to help with as soon as I get the time.

Let us know how you get on, and thanks again for using openBalena!


#3

Hi,

Thanks for the pointers. I’ll have a look into this and let you know how I get on.


#4

Awesome, please report back here with your results as I am sure others will find it useful.