You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issues with Certbot Approach
Originally certbot was embedded into WARP VM certbot performed ACME within WARP VM to obtain a trusted TLS certificate from Lets Encrypt. This design posed several challenges:
certbot is designed for interactive users: It's snap contains boot hook that makes certbot run on startup to keep certificates up to date. This automatic behavior is undesired as we need to maintain ordering dependency between cloud-init & certbot when running on Cloud Providere VM's (cloud-init first as it sets up caching.
Pulling the TLS cert within WARP VM makes it difficult to control whether we want to pull a staging or production Lets Encrypt cert at runtime from the underlying infastructure. In its current model, whether to pull a production is set at WARP VM build time via an Ansible Var.
Proposed New Approach
Apply dependency inversion to the TLS certificates:
WARP VM expects TLS certificate & key to be configured by underlying infrastructure at /etc/ssl/certs/ttyd.pem & /etc/ssl/private/ttyd.key
This pushes down responsibility of TLS certificate provisioning & caching down to the underlying infrastructure & decouples WARM VM from Lets Encrypt certificates.
Motivation
TTYD currently exposes a unauthenticated web terminal which poses a security risk.
Proposal
Secure the TTYD web terminal with Let Encrypt TLS Certs:
/etc/ssl/certs/ttyd.pem
&/etc/ssl/private/ttyd.key
The text was updated successfully, but these errors were encountered: