Page MenuHomeVyOS Platform

Allow to provide custom TLS certificates for the HTTP virtual hosts
Open, Requires assessmentPublicFEATURE REQUEST


Hello there,

It would be great if we could provide custom TLS certificates via the CLI, such as:
set service https virtual-host foo tls-certificate file://...
set service https virtual-host foo tls-chain file://....
set service https virtual-host foo tls-key file://....

The commands should do, at least, one thing:

  • update the generated vhost configuration in order to use the pointed files
  • maybe copy the pointed files to a (safe) location

In addition, running an "nginx -t && service nginx reload" might be good in order to

  1. ensure nginx configuration is valid
  2. reload the whole service with the new certificate

This would allow Operators to get real, trusted certificates when they activate the HTTP-API service on the router. In addition, it might help in order to automate certificate provisioning on the router(s).
It's also better for the vycontrol project, since we can get trusted certificate and implement strict certificate check in order to avoid any MitM.

Of course, these new commands should be optional, and an Operator could stay with the snakeoil certificate (though it's a bad idea).




Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Feature (new functionality)