From a0e5d59a3190b40138c5d6928f6cb89aebb00e9b Mon Sep 17 00:00:00 2001 From: Sean Klein Date: Tue, 28 Jun 2022 15:56:11 -0400 Subject: [PATCH] Launch Nexus using a self-signed x.509 certificate (#1287) Part of https://github.com/oxidecomputer/omicron/issues/249 This PR forces Nexus's external interface to be served via HTTPS when deployed by the sled-agent. - The packaging system expects to find these certificates within `./out/certs`, named `cert.pem` and `key.pem`. - `./tools/create_self_signed_cert.sh` is capable of creating a self-signed certificate. --- docs/how-to-run.adoc | 7 +++++++ package-manifest.toml | 8 ++++++++ sled-agent/src/services.rs | 7 ++++++- tools/create_self_signed_cert.sh | 28 ++++++++++++++++++++++++++++ 4 files changed, 49 insertions(+), 1 deletion(-) create mode 100755 tools/create_self_signed_cert.sh diff --git a/docs/how-to-run.adoc b/docs/how-to-run.adoc index 0805eef362..47f05cca7e 100644 --- a/docs/how-to-run.adoc +++ b/docs/how-to-run.adoc @@ -43,6 +43,13 @@ the networking bits are temporary, so a reboot should always clear them. Both scripts must be run as root, e.g, `pfexec ./tools/create_virtual_hardware.sh`. +=== Make me a certificate! + +Nexus's external interface will typically be served using public-facing x.509 +certificate. While we are still configuring the mechanism to integrate this real +certificate into the package system, `./tools/create_self_signed_cert.sh` can be +used to generate an equivalent self-signed certificate. + == Deploying Omicron The control plane repository contains a packaging tool which bundles binaries diff --git a/package-manifest.toml b/package-manifest.toml index 683412532b..7bf591a742 100644 --- a/package-manifest.toml +++ b/package-manifest.toml @@ -25,6 +25,14 @@ to = "/var/svc/manifest/site/nexus" [[package.omicron-nexus.paths]] from = "out/console-assets" to = "/var/nexus/static" +# Note, we could just map the whole "out/certs" directory, but this ensures +# both files exist. +[[package.omicron-nexus.paths]] +from = "out/certs/cert.pem" +to = "/var/nexus/certs/cert.pem" +[[package.omicron-nexus.paths]] +from = "out/certs/key.pem" +to = "/var/nexus/certs/key.pem" [package.oximeter-collector] rust.binary_names = ["oximeter"] diff --git a/sled-agent/src/services.rs b/sled-agent/src/services.rs index be11bfb2a6..12ad16f1f4 100644 --- a/sled-agent/src/services.rs +++ b/sled-agent/src/services.rs @@ -324,7 +324,12 @@ impl ServiceManager { dropshot_external: ConfigDropshot { bind_address: SocketAddr::V6(external_address), request_body_max_bytes: 1048576, - ..Default::default() + tls: Some( + dropshot::ConfigTls { + cert_file: PathBuf::from("/var/nexus/certs/cert.pem"), + key_file: PathBuf::from("/var/nexus/certs/key.pem"), + } + ), }, dropshot_internal: ConfigDropshot { bind_address: SocketAddr::V6(internal_address), diff --git a/tools/create_self_signed_cert.sh b/tools/create_self_signed_cert.sh new file mode 100755 index 0000000000..783c8eaf70 --- /dev/null +++ b/tools/create_self_signed_cert.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# Creates a self-signed certificate. +# +# For those with access, certificates are available in: +# +# https://github.com/oxidecomputer/configs/tree/master/nginx/ssl/wildcard.oxide-preview.com + +set -eu + +# Set the CWD to Omicron's source. +SOURCE_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" +cd "${SOURCE_DIR}/.." + +OUTPUT_DIR="out/certs" +CERT_PATH="$OUTPUT_DIR/cert.pem" +KEY_PATH="$OUTPUT_DIR/key.pem" + +mkdir -p "$OUTPUT_DIR" + +openssl req -newkey rsa:4096 \ + -x509 \ + -sha256 \ + -days 3650 \ + -nodes \ + -out "$CERT_PATH" \ + -keyout "$KEY_PATH" \ + -subj '/CN=localhost'