-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: automatically generating certs if not provided (Waku Canary) #2408
chore: automatically generating certs if not provided (Waku Canary) #2408
Conversation
You can find the image built from this PR at
Built from fe82558 |
apps/wakucanary/wakucanary.nim
Outdated
@@ -24,6 +26,7 @@ const ProtocolsTable = { | |||
}.toTable | |||
|
|||
const WebSocketPortOffset = 1000 | |||
const CertsDirectory = "./apps/wakucanary/certs" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would either make this configurable, or used some more general path like ./certs
or ./self-signed-certs
- WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes! Wasn't sure what was the best approach. Didn't want to make it configurable so we don't require another CLI flag (the whole idea is for this to happen under the hood/on its own). Also wanted to keep it inside the wakucanary
directory so it doesn't mix with other stuff.
So I assumed that the instructions are being followed literally and it would be run from the root of the repo.
But makes sense, maybe it's better to store the certs in the directory where the executable is run, and avoid errors if it's run from a different place. Fixing it now :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks!
My only concert about self-signed certificate is whether the nwaku
node would accept a connection from that. I think it worth to try it, if not done already.
Yes! It seems to be accepted :) Ran wakucanary trying to contact one of our fleets with that certificate and the connection was successful |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM except for the comment.
|
||
# Command to generate private key and cert | ||
let | ||
cmd = "openssl req -x509 -newkey rsa:4096 -keyout " & keyPath & " -out " & certPath & |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just wondering if we leave the CN=CommonNameOrHostname
like this, it may cause problems in case a node is validating the certificate. Can we pick this up from either system's domain name or public IP?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point! Just changed it :)
Now we use the public IP and if for some reason it cannot be retrieved then "127.0.0.1" is used.
With domain name is more problematic as we want for it to be automatic and not require any input from the user, so public IP is used instead.
WDYT?
cac0dbb
to
aab8b00
Compare
Description
Automatically generating a self signed certificate in Waku Canary if not provided and WSS is used.
Notice that the keys and certificate are generated only if
OpenSSL
is installed. It comes preinstalled in Ubuntu, other common Linux distributions and MacOS.If
openssl
command is not available and certificates are not provided, an error message is shown.Changes
How to test
make wakucanary
./build/wakucanary --address=/dns4/node-01.gc-us-central1-a.status.test.statusim.net/tcp/443/wss/p2p/16Uiu2HAmGDX3iAFox93PupVYaHa88kULGqMpJ7AEHGwj3jbMtt76 --protocol=relay
Issue
closes #2349