-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Launch Nexus using a self-signed x.509 certificate #1287
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good. Two things:
- If somebody forgets to create the self-signed certificate but still runs builds the image, what's the failure mode? It'd be nice if that fails building the image rather than failing at runtime.
- I wonder if we should update the example config files and the simulated run instructions so that people are doing this in that workflow too. But that doesn't have to be in this PR!
The packaging tools complain when constructing the Nexus zone image - so it is not a runtime failure. I wanted to make the certificates mandatory for running in "real" nexus to make it very difficult to "not have them at runtime, somehow".
Sounds good |
Sounds good. I was worried because I didn't see anything in this PR that would obviously fail in that case. |
# | ||
# For those with access, certificates are available in: | ||
# | ||
# https://github.com/oxidecomputer/configs/tree/master/nginx/ssl/wildcard.oxide-preview.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This location is will change eventually as a some things get decoupled. Not to block this PR, but for future reference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the heads up. The flow for importing a non-self-signed cert is clearly half-baked; I needed to pull them manually.
Until we have a good authentication story for it, the manual approach seems better than something insecure, but I'd like to remedy that when we can.
Hrm... I realized, the thing we were actually checking for was the presence of a directory in |
…xidecomputer#1287)" (oxidecomputer#1300)" This reverts commit 154a4a6.
Part of #249 This PR forces Nexus's external interface to be served via HTTPS when deployed by the sled-agent. - The packaging system expects to find these certificates within `./out/certs`, named `cert.pem` and `key.pem`. - `./tools/create_self_signed_cert.sh` is capable of creating a self-signed certificate.
…1500) Another attempt at oxidecomputer#1287 In addition to launching an HTTPS server, this also launches an HTTP server so we can smoothly migrate clients (like the CLI). Part of oxidecomputer#249
Part of #249
This PR forces Nexus's external interface to be served via HTTPS when deployed by the sled-agent.
./out/certs
, namedcert.pem
andkey.pem
../tools/create_self_signed_cert.sh
is capable of creating a self-signed certificate.