How to configure certificates on NervesHubWeb locally?

Hello there :slight_smile:

So I am just starting to learn about nerves hub and trying to understand the whole certificates thing. For now I am pretty lost

I’ve cloned the nerves hub web repo and set it up locally and I am able to run it.

My goal now is to be able to locally create a firmware update, sign it and sent it to the server :slight_smile:

The next goal will be to make a device connect to the hub via SSL, and I am having troubles understanding how to configure that too

So I have many questions:

  1. How do I locally generate a CA certificate?
  2. How do I upload it to my local nerves hub?
  3. How do I configure my project to sign firmware updates and publish them to the server? Do I have to generate more certificates for that? Do I need the server CA certificate in the client? (As you can see I am a complete noob when it comes to certificates and stuff like that)
  4. For devices SSL configuration. Does that have anything to do with the server CA certificate? Do I have to generate a new set of certificates for each device for them to communicate via SSL to the hub?

I have other doubts but maybe they get solved after the previous questions get solved

Thanks for your help

Hi Jaster

I’ve been working with the Nerves Hub team on making it easier to deploy, and some of this focus was around how certificates are setup and configured.

Are you setting this up for personal use? Are you looking at deploying this to a cloud environment?

The reason I ask is because there is a way to setup Nerves Hub using published Docker images, and not have to worry about using certificates, although I would highly recommend putting this behind a load balancer that takes care of SSL termination for you.

I’ve been meaning to update the installation instructions, which I’ll get to next week, but for now I can create a little GitHub gist that explains the setup.

The caveat is that instead of using Certificates for device authentication, instead token auth is using (similar to AWS S3 tokens), which simplifies setup.

Once I know your use case then I can provide a bit more information.



1 Like

Hi Josh!

Thanks for the reply, that sounds exciting!

Well so in my case the end goal is to use nerves hub in production.

I have a bunch of IoT devices I want to deploy in the wild and I want to be able to send them updates on the fly :slight_smile:

I’d be awesome if everything could be simplified to just using docker and tokens!

I was first trying to simulate a Prove Of Concept locally, but at the end of the day the goal is to have this in production :slight_smile:

A github gist would be incredibly helpful!

Thank you for your effort on the project, I’m really looking forward for whats coming

Sorry I now realized I didn’t tell you exactly if I want to deploy this to the cloud.

The answer is yes, I don’t know yet which cloud provider I will use though (Probably AWS).

Awesome, that information is very helpful and will allow me to whip up some instructions over the next few days.

I’ll use as an example (as I have a dev deployment working there). It should be fairly simple to swap in AWS using their load balancer, trouble is that there are a million ways to use AWS, so using a PaaS for the example will be the easiest.

I also have the certificate approach working on Fly, but that needs some extra documentation on how to set it up.

A small extra question while I’m here, if there was a hosted Nerves Hub to use, which allowed for a number of devices to manage for free, would that be useful/interesting?

1 Like also works for me! I already deployed some pet projects on it and will deploy the web server for this project I’m working on there :slight_smile:

So an example focused on would also work fantastic, thank you so much

Honestly that would be super helpful too!

For now I the idea is to have a hand of devices deployed to start testing the product on the wild, so if there was a solution that would allow me to do that as soon as possible without having to spend a lot of time on configuration (And specially the certificates part, that was the big blocker) I would most likely use that.

Then in the future I’d probably consider hosting it on my own if it gets too expensive

Thanks for the feedback.

I’m looking at (re)starting a hosted Nerves Hub, with a fair free tier.

Depending on how many devices you are looking to connect, and if they are production/mission critical, I could invite you to my dev instance that is running.

I’ll also work on the hosting instructions (that needs to happen for everyone).

1 Like

I’d also like to note that a feature I will probably use quite often is the Remote Console Monitoring.

I saw that Nerves hub has that already implemented and it’s awesome! To be able to debug the devices directly from a remote console that is absolutely brilliant :slight_smile: