I am interested in using an internally signed CA for my stuff so leveraging @richbayliss’s solution now it is merged I did the following.
- Generated a new private key
- Created a CSR which uses subject alt name for each required CNAME (registry, vpn, etc) in the CSR
- Signed the CSR with my internal CA
- Created open-balena.pem which contains the full cert chain and the private key appended
You can either find the physical location of the named cert volume (docker volume inspect openbalena_certs and look for Mountpoint) or copy the pem to haproxy/open-balena.pem and add COPY open-balena.pem /certs/open-balena.pem to the haproxy/Dockerfile
I needed to rebuild my haproxy container using ./scripts/compose up -d --build haproxy
After that my cert CA signed cert is now used.