Page MenuHomeVyOS Platform

Allow to provide custom TLS certificates for the HTTP virtual hosts
Open, LowPublicFEATURE REQUEST

Description

Hello there,

It would be great if we could provide custom TLS certificates via the CLI, such as:
set service https virtual-host foo tls-certificate file://...
set service https virtual-host foo tls-chain file://....
set service https virtual-host foo tls-key file://....

The commands should do, at least, one thing:

  • update the generated vhost configuration in order to use the pointed files
  • maybe copy the pointed files to a (safe) location

In addition, running an "nginx -t && service nginx reload" might be good in order to

  1. ensure nginx configuration is valid
  2. reload the whole service with the new certificate

This would allow Operators to get real, trusted certificates when they activate the HTTP-API service on the router. In addition, it might help in order to automate certificate provisioning on the router(s).
It's also better for the vycontrol project, since we can get trusted certificate and implement strict certificate check in order to avoid any MitM.

Of course, these new commands should be optional, and an Operator could stay with the snakeoil certificate (though it's a bad idea).

Cheers,

C.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Feature (new functionality)

Event Timeline

dmbaturin renamed this task from Allow to provide custom TLS certificates for the "https" service to Allow to provide custom TLS certificates for the HTTP virtual hosts.Jul 29 2021, 8:50 AM
erkin set Issue type to Feature (new functionality).Aug 29 2021, 12:25 PM
erkin removed a subscriber: Active contributors.

This is available in Sagitta thanks to the PKI subsystem; backport depends on backport of that subsystem.