Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS custom domain install-time chicken-and-egg issue #3367

kentonv opened this issue Jun 13, 2020 · 1 comment

TLS custom domain install-time chicken-and-egg issue #3367

kentonv opened this issue Jun 13, 2020 · 1 comment
enhancement Feature requests install-config Installation/configuration issues


Copy link

kentonv commented Jun 13, 2020

Currently, it's extraordinarily difficult to set up Sandstorm with Let's Encrypt TLS on a non-Sandcats domain.

The basic problem is that TLS is configured via the admin UI, which itself is accessed over HTTPS. So to configure certificates, you need to already have a certificate configured. A similar problem arises if your ACME config ever breaks. Configuring TLS over HTTP is a really bad idea, because you have to enter your DNS server credentials, which is pretty much keys to your kingdom.

Currently, the only ways around the problem are excessively hard. You have to start out by configuring Sandstorm for HTTP only. Then, you could securely access the TLS config in one of the following ways:

  • Use SSH port forwarding to forward a localhost port to your server. You would need to edit your /etc/hosts file to map your server's hostname to temporarily, so that when you open the hostname in your browser, it goes to the forwarded port.
  • Put a reverse proxy like nginx in front of your Sandstorm server to terminate TLS temporarily. Note that the certificate you give it likely needs to be trusted by your browser, as clicking through the certificate warning doesn't seem to work on some browsers as the background XHR/WebSocket requests end up being disallowed. So, you either need to add the certificate to your trust store -- which some browsers are making increasingly hard these days -- or you need to obtain a real certificate through other means temporarily. Ugh!
  • If your Sandstorm server is on a physically secure network with your desktop/laptop, e.g. because you're running it at home, then maybe you can get away without encryption during setup.

Once you've configured TLS and fetched your first certificate, then you must edit your /opt/sandstorm.conf to tell it to use TLS. Specifically, you must:

  1. Add the line HTTPS_PORT=443. (Leave PORT unchanged.)
  2. Change BASE_URL to start with https:// instead of http://.

Then, sandstorm restart, and now you have TLS.

To fix this, we need to add a command like sandstorm configure-tls that accepts configuration from the command line. should run this command as one of its last steps. But, I think we don't want this code to be part of the installer itself, because you might need it to reconfigure TLS later if your certificate becomes invalid.

The command should probably support interactive and non-interactive usage modes.

It would allow you to set up an ACME account, configure DNS, and initiate a certificate fetch, much like the existing admin UI. The interface will need to talk to the Meteor app server, probably via capnp RPC, to implement these operations, since obviously we don't want to re-implement ACME elsewhere.

@ocdtrekkie ocdtrekkie added enhancement Feature requests install-config Installation/configuration issues labels Jun 13, 2020
Copy link

Resolved via #3383.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
enhancement Feature requests install-config Installation/configuration issues
None yet

No branches or pull requests

2 participants