So I am just starting to learn about nerves hub and trying to understand the whole certificates thing. For now I am pretty lost
I’ve cloned the nerves hub web repo and set it up locally and I am able to run it.
My goal now is to be able to locally create a firmware update, sign it and sent it to the server
The next goal will be to make a device connect to the hub via SSL, and I am having troubles understanding how to configure that too
So I have many questions:
How do I locally generate a CA certificate?
How do I upload it to my local nerves hub?
How do I configure my project to sign firmware updates and publish them to the server? Do I have to generate more certificates for that? Do I need the server CA certificate in the client? (As you can see I am a complete noob when it comes to certificates and stuff like that)
For devices SSL configuration. Does that have anything to do with the server CA certificate? Do I have to generate a new set of certificates for each device for them to communicate via SSL to the hub?
I have other doubts but maybe they get solved after the previous questions get solved
I’ve been working with the Nerves Hub team on making it easier to deploy, and some of this focus was around how certificates are setup and configured.
Are you setting this up for personal use? Are you looking at deploying this to a cloud environment?
The reason I ask is because there is a way to setup Nerves Hub using published Docker images, and not have to worry about using certificates, although I would highly recommend putting this behind a load balancer that takes care of SSL termination for you.
I’ve been meaning to update the installation instructions, which I’ll get to next week, but for now I can create a little GitHub gist that explains the setup.
The caveat is that instead of using Certificates for device authentication, instead token auth is using (similar to AWS S3 tokens), which simplifies setup.
Once I know your use case then I can provide a bit more information.
Awesome, that information is very helpful and will allow me to whip up some instructions over the next few days.
I’ll use Fly.io as an example (as I have a dev deployment working there). It should be fairly simple to swap in AWS using their load balancer, trouble is that there are a million ways to use AWS, so using a PaaS for the example will be the easiest.
I also have the certificate approach working on Fly, but that needs some extra documentation on how to set it up.
A small extra question while I’m here, if there was a hosted Nerves Hub to use, which allowed for a number of devices to manage for free, would that be useful/interesting?
For now I the idea is to have a hand of devices deployed to start testing the product on the wild, so if there was a solution that would allow me to do that as soon as possible without having to spend a lot of time on configuration (And specially the certificates part, that was the big blocker) I would most likely use that.
Then in the future I’d probably consider hosting it on my own if it gets too expensive
I’m looking at (re)starting a hosted Nerves Hub, with a fair free tier.
Depending on how many devices you are looking to connect, and if they are production/mission critical, I could invite you to my dev instance that is running.
I’ll also work on the hosting instructions (that needs to happen for everyone).
I’d also like to note that a feature I will probably use quite often is the Remote Console Monitoring.
I saw that Nerves hub has that already implemented and it’s awesome! To be able to debug the devices directly from a remote console that is absolutely brilliant
Hi @ananth can you please be more specific? What have you tried so far? What specific issues did you run into? Can you copy and paste any errors or output you got?
The way NervesHub is currently organized is that you host 2 webservers, web and device.
The web server runs in http mode and to make it work all you need is a reverse proxy to it if you plan on using https. If you plan to use it for playing around, you can use only the web part of the project, by specifying: NERVES_HUB_APP=web. You can connect your devices to the web endpoint, but only with shared keysoption.
The device server is used when you want to use mutual SSL authentication, the security model used for production devices. This server should be exposed directly to the internet, using a reverse proxy that terminates ssl will not work, as the mechanism behind this type of authentication involves sending peer certificates from your devices.
Since the device endpoints are not accessed from browser, you can use a self-signed CA and certificates to serve https, you can find a lot of tutorials on how to generate your own CA and server certificates online with openssl, or you can generate the same certificates with letsencrypt, but that is trickier as you will have to pass the challenge. The only thing to remember is to add the CA on devices if you are using your own self-signed CA.
