chore: automatically generating certs if not provided (Waku Canary) #2408
Conversation
|
You can find the image built from this PR at Built from fe82558 |
apps/wakucanary/wakucanary.nim
Outdated
| @@ -24,6 +26,7 @@ const ProtocolsTable = { | |||
| }.toTable | |||
|
|
|||
| const WebSocketPortOffset = 1000 | |||
| const CertsDirectory = "./apps/wakucanary/certs" | |||
There was a problem hiding this comment.
I would either make this configurable, or used some more general path like ./certs or ./self-signed-certs - WDYT?
There was a problem hiding this comment.
Yes! Wasn't sure what was the best approach. Didn't want to make it configurable so we don't require another CLI flag (the whole idea is for this to happen under the hood/on its own). Also wanted to keep it inside the wakucanary directory so it doesn't mix with other stuff.
So I assumed that the instructions are being followed literally and it would be run from the root of the repo.
But makes sense, maybe it's better to store the certs in the directory where the executable is run, and avoid errors if it's run from a different place. Fixing it now :)
Yes! It seems to be accepted :) Ran wakucanary trying to contact one of our fleets with that certificate and the connection was successful |
|
|
||
| # Command to generate private key and cert | ||
| let | ||
| cmd = "openssl req -x509 -newkey rsa:4096 -keyout " & keyPath & " -out " & certPath & |
There was a problem hiding this comment.
Just wondering if we leave the CN=CommonNameOrHostname like this, it may cause problems in case a node is validating the certificate. Can we pick this up from either system's domain name or public IP?
There was a problem hiding this comment.
Good point! Just changed it :)
Now we use the public IP and if for some reason it cannot be retrieved then "127.0.0.1" is used.
With domain name is more problematic as we want for it to be automatic and not require any input from the user, so public IP is used instead.
WDYT?
gabrielmer
force-pushed
the
chore-automatically-generating-certificates-for-wakucanary
branch
from
cac0dbb
to
aab8b00
Compare
gabrielmer
deleted the
chore-automatically-generating-certificates-for-wakucanary
branch
Description
Automatically generating a self signed certificate in Waku Canary if not provided and WSS is used.
Notice that the keys and certificate are generated only if
OpenSSLis installed. It comes preinstalled in Ubuntu, other common Linux distributions and MacOS.If
opensslcommand is not available and certificates are not provided, an error message is shown.Changes
How to test
make wakucanary./build/wakucanary --address=/dns4/node-01.gc-us-central1-a.status.test.statusim.net/tcp/443/wss/p2p/16Uiu2HAmGDX3iAFox93PupVYaHa88kULGqMpJ7AEHGwj3jbMtt76 --protocol=relayIssue
closes #2349