Launch Nexus using a self-signed x.509 certificate (#1287)

Part of #249 This PR forces Nexus's external interface to be served via HTTPS when deployed by the sled-agent. - The packaging system expects to find these certificates within `./out/certs`, named `cert.pem` and `key.pem`. - `./tools/create_self_signed_cert.sh` is capable of creating a self-signed certificate.
oxidecomputer · Jul 26, 2022 · 1f843f1 · 1f843f1
1 parent 948e537
commit 1f843f1
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 1 deletion.
diff --git a/docs/how-to-run.adoc b/docs/how-to-run.adoc
@@ -53,6 +53,13 @@ This script requires Omicron be uninstalled, e.g., with `pfexec
 that is not the case. The script will then remove the file-based vdevs and the
 VNICs created by `create_virtual_hardware.sh`.
 
+=== Make me a certificate!
+
+Nexus's external interface will typically be served using public-facing x.509
+certificate. While we are still configuring the mechanism to integrate this real
+certificate into the package system, `./tools/create_self_signed_cert.sh` can be
+used to generate an equivalent self-signed certificate.
+
 == Deploying Omicron
 
 The control plane repository contains a packaging tool which bundles binaries

diff --git a/package-manifest.toml b/package-manifest.toml
@@ -30,6 +30,14 @@ to = "/var/svc/manifest/site/nexus"
 [[package.omicron-nexus.paths]]
 from = "out/console-assets"
 to = "/var/nexus/static"
+# Note, we could just map the whole "out/certs" directory, but this ensures
+# both files exist.
+[[package.omicron-nexus.paths]]
+from = "out/certs/cert.pem"
+to = "/var/nexus/certs/cert.pem"
+[[package.omicron-nexus.paths]]
+from = "out/certs/key.pem"
+to = "/var/nexus/certs/key.pem"
 
 [package.oximeter-collector]
 rust.binary_names = ["oximeter"]

diff --git a/sled-agent/src/services.rs b/sled-agent/src/services.rs
@@ -409,7 +409,12 @@ impl ServiceManager {
                         dropshot_external: ConfigDropshot {
                             bind_address: external_address,
                             request_body_max_bytes: 1048576,
-                            ..Default::default()
+                            tls: Some(
+                                dropshot::ConfigTls {
+                                    cert_file: PathBuf::from("/var/nexus/certs/cert.pem"),
+                                    key_file: PathBuf::from("/var/nexus/certs/key.pem"),
+                                }
+                            ),
                         },
                         dropshot_internal: ConfigDropshot {
                             bind_address: SocketAddr::V6(internal_address),

diff --git a/tools/create_self_signed_cert.sh b/tools/create_self_signed_cert.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Creates a self-signed certificate.
+#
+# For those with access, certificates are available in:
+#
+# https://github.com/oxidecomputer/configs/tree/master/nginx/ssl/wildcard.oxide-preview.com
+
+set -eu
+
+# Set the CWD to Omicron's source.
+SOURCE_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+cd "${SOURCE_DIR}/.."
+
+OUTPUT_DIR="out/certs"
+CERT_PATH="$OUTPUT_DIR/cert.pem"
+KEY_PATH="$OUTPUT_DIR/key.pem"
+
+mkdir -p "$OUTPUT_DIR"
+
+openssl req -newkey rsa:4096 \
+            -x509 \
+            -sha256 \
+            -days 3650 \
+            -nodes \
+            -out "$CERT_PATH" \
+            -keyout "$KEY_PATH" \
+            -subj '/CN=localhost'