Using real (not self-signed) certificates


@phoenixmage whilst this will load your cert and expose it on port 443, you will have difficulty getting your devices to connect since they will not trust the CA which signed that certificate.

I will have to have a think about this mechanism; there is a way to do it, but I need to consult some people internally.


@richbayliss I am sure there would be a way to inject it into the BalenaOS image, I am just not sure which partition it has to happen in. I will experiment and see.


@richbayliss So if you add the base64 encoded CA cert to balenaRootCA in /mnt/bot/config.json and remove the resin-supervisor container and systemctl start resin-supervisor it will use the new root CA


@phoenixmage Hey, just a quick update for you. I have a working solution for this scenario and it is pending a PR which should happen this week. When it does I will update you here.

Basically the current VPN trust configuration is tied to the BALENA_ROOT_CA and so while you can change this value, you would also need to issue a new VPN Sub-CA and server cert. So I am PRing a change to remove the trust chain, meaning you can change the BALENA_ROOT_CA value in your configuration to match your enterprise CA and still keep a working VPN. I have tested it myself and it worked nicely. You will also be able to make your own cert-provider image to load in your server’s cert and then renew it/reload the HAproxy config without changing the HAproxy container.