Hello there,
It would be great if we could provide custom TLS certificates via the CLI, such as:
set service https virtual-host foo tls-certificate file://...
set service https virtual-host foo tls-chain file://....
set service https virtual-host foo tls-key file://....
The commands should do, at least, one thing:
- update the generated vhost configuration in order to use the pointed files
- maybe copy the pointed files to a (safe) location
In addition, running an "nginx -t && service nginx reload" might be good in order to
- ensure nginx configuration is valid
- reload the whole service with the new certificate
This would allow Operators to get real, trusted certificates when they activate the HTTP-API service on the router. In addition, it might help in order to automate certificate provisioning on the router(s).
It's also better for the vycontrol project, since we can get trusted certificate and implement strict certificate check in order to avoid any MitM.
Of course, these new commands should be optional, and an Operator could stay with the snakeoil certificate (though it's a bad idea).
Cheers,
C.