No internet connection
  1. Home
  2. General

Right way to set TLS certificates

By @frostman
    2021-06-25 21:15:45.240Z

    Hello, I'm looking for the instruction on how to set TLS certs in the right way (without CA). I'm using my own CA that is configured as trusted on all devices, so, I only want to set the TLS keys for the tinypilot itself w/o providing the CA. I tried setting the TLS paths mentioned in the certificate error after importing ca cert into system store on MacOS Big Sur #post-2 and it was working some time, but it seems to be overridden after an upgrade, and UI not working anymore. Thanks

    • 7 replies
    1. Sorry about the CA issues! Not many customers bring their own CA, so it's possible there are bugs in this flow that we haven't seen before.

      Do you have this line in your /home/tinypilot/settings.yml

      tinypilot_manage_tls_keys: no
      

      With that configuration, TinyPilot shouldn't try to update your CA and TLS keys and certs on updates.

      If your settings file already has that line, can you share your update logs?

      sudo journalctl -u tinypilot-updater | \
        curl -F '_=<-' https://logs.tinypilotkvm.com
      
      1. F@frostman
          2021-06-30 15:15:11.638Z

          Yes, I have tinypilot_manage_tls_keys: no in the config, and running tinypilot-updater now (even w/o upgrade available) breaks the keys.

          Here are the logs https://logs.tinypilotkvm.com/GJ33CEZH and it seems like it detects that tls keys management is disabled but it still creates CA/certs later.

          I've been editing only:
          /etc/ssl/certs/tinypilot-nginx.crt
          /etc/ssl/private/tinypilot-nginx.key

          Thanks

          1. That's really strange. According to the log, the updater isn't touching the certs or keys:

            Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: TASK [tinypilot.tinypilot-pro : create the CA CSR] *****************************
            Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: skipping: [localhost]
            Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: TASK [tinypilot.tinypilot-pro : sign the CA CSR] *******************************
            Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: skipping: [localhost]
            Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: TASK [tinypilot.tinypilot-pro : create host CSR signing key] *******************
            Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: skipping: [localhost]
            Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: TASK [tinypilot.tinypilot-pro : create CSR for nginx] **************************
            Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: skipping: [localhost]
            Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: TASK [tinypilot.tinypilot-pro : generate a CA-signed TLS certificate] **********
            Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: skipping: [localhost]
            Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: TASK [tinypilot.tinypilot-pro : install update-tls-cert-common-name as a service] ***
            Jun 14 12:08:42 nas-kvm tinypilot-update-svc[24809]: skipping: [localhost]
            

            I've tried to reproduce this on my local Voyager, and when I add tinypilot_manage_tls_keys: no to my /home/tinypilot/settings.yml, it leaves my TLS certs and keys untouched.

            Can you confirm that my understanding is correct?

            1. You replace /etc/ssl/certs/tinypilot-nginx.crt and /etc/ssl/private/tinypilot-nginx.key on your Voyager with your own TLS key and cert.
            2. You added tinypilot_manage_tls_keys: false to your /home/tinypilot/settings.yml
            3. You run sudo service tinypilot-updater start to force the update service to run.
            4. After the tinypilot-updater process finishes, /etc/ssl/certs/tinypilot-nginx.crt and /etc/ssl/private/tinypilot-nginx.key are no longer the keys/cert you placed there.
            1. F@frostman
                2021-07-20 20:12:42.015Z

                Hi, sorry, didn't have a chance to check it before. I've tried a few times today and here are the results. So, seems like if I have "tinypilot_manage_tls_keys: no" in the settings then it keeps the cert but overwrites the key, so, Nginx can't reload and upgrade fails. After that first attempt, I've changed to "tinypilot_manage_tls_keys: false" and started upgrade in UI and worked well (switched from 2.2.2 to 2.2.3 IIRC) and both cert and key seem to be fine now. So, maybe it's b/c of the no vs false in the config. If you want I can try some more combinations. Thanks

                1. Thanks for following up!

                  No need for you to do further testing. We'll test on our end to see if we can get to the bottom of this.

                  1. F@frostman
                      2021-08-04 21:12:36.013Z

                      Actually, it just resets the key after the restart of tinypilot while cert stays the same... Even with the tinypilot_manage_tls_keys: false in the config...

                      1. It reverts the TLS certificate after you reboot the TinyPilot? Is it possible you enabled the read-only filesystem? That's the only reason I can think of that a device restart would change the files.

                        If not, can you share the TinyPilot logs after it resets the TLS keys?