I’m working on an OpenShift deployment of Mender. The cluster we’re using has certs which can be supplied automatically by the OpenShift routes. And, importantly, the private parts of those certs cannot be placed in the Mender application.
Is it possible to run the API Gateway in non-ssl mode?
I had slightly similar when I was setting up Mender in ECS. Everything is behind loadbalancers that already handle SSL.
I solved it by adding Certbot to the API gateway Dockerimage. I let Certbot manage the local certificates on the API gateway instances automaticaly.
I extended the original Docker image with an entrypoint script that wraps the original entrypoint script to setup certbot before starting Nginx.
But in any case the nginx config for the API gateway is kept here: https://github.com/mendersoftware/mender-api-gateway-docker/blob/master/nginx.conf You can make an extended Dockerfile that uses your own. Or use a volume to put your own in place.
excellent! thanks for the info! You may have just saved me a lot of heartache.
Follow up question: if using CA backed certs, does the client still need local copies of the public portion (i.e. server.crt)?
You mena the mender client on the device? You only need to install the server.crt on the device when working with self-signed certificates on the backend. When you use certificates that are backed by a public certificate authority you only need to make sure the ca-certificates package is installed on the device.