No internet connection
  1. Home
  2. General

Right way to set TLS certificates

By @frostman2021-06-25 21:15:45.240Z

Hello, I'm looking for the instruction on how to set TLS certs in the right way (without CA). I'm using my own CA that is configured as trusted on all devices, so, I only want to set the TLS keys for the tinypilot itself w/o providing the CA. I tried setting the TLS paths mentioned in the certificate error after importing ca cert into system store on MacOS Big Sur #post-2 and it was working some time, but it seems to be overridden after an upgrade, and UI not working anymore. Thanks

  • 5 replies
  1. Michael Lynch @michael2021-06-28 18:58:14.470Z

    Sorry about the CA issues! Not many customers bring their own CA, so it's possible there are bugs in this flow that we haven't seen before.

    Do you have this line in your /home/tinypilot/settings.yml

    tinypilot_manage_tls_keys: no
    

    With that configuration, TinyPilot shouldn't try to update your CA and TLS keys and certs on updates.

    If your settings file already has that line, can you share your update logs?

    sudo journalctl -u tinypilot-updater | \
      curl -F '_=<-' https://logs.tinypilotkvm.com
    
    1. F@frostman2021-06-30 15:15:11.638Z

      Yes, I have tinypilot_manage_tls_keys: no in the config, and running tinypilot-updater now (even w/o upgrade available) breaks the keys.

      Here are the logs https://logs.tinypilotkvm.com/GJ33CEZH and it seems like it detects that tls keys management is disabled but it still creates CA/certs later.

      I've been editing only:
      /etc/ssl/certs/tinypilot-nginx.crt
      /etc/ssl/private/tinypilot-nginx.key

      Thanks

      1. Michael Lynch @michael2021-06-30 19:06:59.938Z

        That's really strange. According to the log, the updater isn't touching the certs or keys:

        Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: TASK [tinypilot.tinypilot-pro : create the CA CSR] *****************************
        Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: skipping: [localhost]
        Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: TASK [tinypilot.tinypilot-pro : sign the CA CSR] *******************************
        Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: skipping: [localhost]
        Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: TASK [tinypilot.tinypilot-pro : create host CSR signing key] *******************
        Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: skipping: [localhost]
        Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: TASK [tinypilot.tinypilot-pro : create CSR for nginx] **************************
        Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: skipping: [localhost]
        Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: TASK [tinypilot.tinypilot-pro : generate a CA-signed TLS certificate] **********
        Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: skipping: [localhost]
        Jun 14 12:08:41 nas-kvm tinypilot-update-svc[24809]: TASK [tinypilot.tinypilot-pro : install update-tls-cert-common-name as a service] ***
        Jun 14 12:08:42 nas-kvm tinypilot-update-svc[24809]: skipping: [localhost]
        

        I've tried to reproduce this on my local Voyager, and when I add tinypilot_manage_tls_keys: no to my /home/tinypilot/settings.yml, it leaves my TLS certs and keys untouched.

        Can you confirm that my understanding is correct?

        1. You replace /etc/ssl/certs/tinypilot-nginx.crt and /etc/ssl/private/tinypilot-nginx.key on your Voyager with your own TLS key and cert.
        2. You added tinypilot_manage_tls_keys: false to your /home/tinypilot/settings.yml
        3. You run sudo service tinypilot-updater start to force the update service to run.
        4. After the tinypilot-updater process finishes, /etc/ssl/certs/tinypilot-nginx.crt and /etc/ssl/private/tinypilot-nginx.key are no longer the keys/cert you placed there.
        1. F@frostman2021-07-20 20:12:42.015Z

          Hi, sorry, didn't have a chance to check it before. I've tried a few times today and here are the results. So, seems like if I have "tinypilot_manage_tls_keys: no" in the settings then it keeps the cert but overwrites the key, so, Nginx can't reload and upgrade fails. After that first attempt, I've changed to "tinypilot_manage_tls_keys: false" and started upgrade in UI and worked well (switched from 2.2.2 to 2.2.3 IIRC) and both cert and key seem to be fine now. So, maybe it's b/c of the no vs false in the config. If you want I can try some more combinations. Thanks

          1. Michael Lynch @michael2021-07-20 21:00:56.608Z

            Thanks for following up!

            No need for you to do further testing. We'll test on our end to see if we can get to the bottom of this.