Closed Chrissi2812 closed 4 months ago
@Chrissi2812 Hello, (and a very late thank you for you contribution), we've updated the build/deploy scaffold for openBalena today, which includes a fairly comprehensive redesign of PKI management. We are now using our own [cert-manager(https://github.com/balena-io/cert-manager) and ca-private wrapper projects to facilitate this. These two projects use Cloudflare PKI toolkit and certbot to deliver both public and private PKI assets to openBalena.
Right now, self-signed PKI (incl. VPN assets) isn't automatically renewed when it expires. One renewal option is to simply delete the volume content in /pki
as well as /certs
and restart the composition. The other option would be to increment CA generations and restart.
Please feel free to reopen your PR, rebase on master and contribute anything you feel that is missing or incorrect.
It's based on the steps from this forum post: https://forums.balena.io/t/psa-open-balena-certificates-expiration-management/350177/2
The script backs up the current config, renews the certificates using the old CA, and updates the server configuration files accordingly.