sandstorm icon indicating copy to clipboard operation
sandstorm copied to clipboard

Published 20 hours ago verified publisher icon sandstorm-io

Add `sandstorm tls-keys` command for uploading key/cert

Open kentonv opened this issue 4 years ago • 3 comments

We should add a new sandstorm command:

sandstorm tls-keys <key-file> <cert-chain-file>

This would simply read the two files and inject them into the database as the new TLS keys.

This would be useful for a couple situations:

  • When the current cert is invalid, it can be very hard to convince the browser to accept it. I find that even clicking through the certificate warning isn't enough because the WebSocket / XHR requests remain blocked, meaning none of the UI works (including the TLS certificate upload UI).
  • This command could be used in external scripts that update TLS certs. For example, this could allow someone to use certbot to renew certificates in the case that their DNS provider is supported by certbot but not yet by ACME.js.

The command could be implemented by reading the two files and then passing a query to mongo like:

db.settings.update({_id: 'tlsKeys'}, {$set: {value: {key: '<key-file-content>', certChain: '<cert-chain-file-content>'}}})

One catch: The mongo client program barfs when given single lines longer than 4096 characters. So, it's necessary to break up the strings across multiple lines. The query language is literally JavaScript so this could either be accomplished by defining a bunch of variables containing chunks of the text and then concatenating them, or maybe just by splitting the string literals across multiple lines with + to concatenate.

kentonv avatar May 02 '20 21:05 kentonv

If we had the control socket in place this would be a good candidate for using that; we could just call into sandstorm's frontend rather than muck with line length.

zenhack avatar May 02 '20 21:05 zenhack

This is pretty important as it isn't documented how to self install HTTPS from the start. You essentially cannot currently, because you can't reach the settings to use ACME to get a cert until you first go through configuration and setting up a user.

As a result, you have to start without https, add auth without https, login, the modify the settings there...

All this would be much easier if a user could just set the certs from CLI to begin with before initial setup.

nanoscopic avatar Apr 04 '21 08:04 nanoscopic

At some point we did add subcommands configure-acme-challenge, create-acme-account, and renew-certificate, though I see that these aren't documented anywhere except sandstorm --help; probably we should have a docs page about that too.

tls-keys would still be useful if the user wants to use something other than ACME to manage certs however.

zenhack avatar Apr 06 '21 17:04 zenhack