Launch Nexus using a self-signed x.509 certificate (#1287)

smklein · web-flow · commit a0e5d59a3190 · 2022-06-28T19:56:11.000Z
Part of #249 This PR forces Nexus's external interface to be served via HTTPS when deployed by the sled-agent. - The packaging system expects to find these certificates within `./out/certs`, named `cert.pem` and `key.pem`. - `./tools/create_self_signed_cert.sh` is capable of creating a self-signed certificate.
diff --git a/docs/how-to-run.adoc b/docs/how-to-run.adoc
@@ -43,6 +43,13 @@ the networking bits are temporary, so a reboot should always clear them.
 
 Both scripts must be run as root, e.g, `pfexec ./tools/create_virtual_hardware.sh`.
 
+=== Make me a certificate!
+
+Nexus's external interface will typically be served using public-facing x.509
+certificate. While we are still configuring the mechanism to integrate this real
+certificate into the package system, `./tools/create_self_signed_cert.sh` can be
+used to generate an equivalent self-signed certificate.
+
 == Deploying Omicron
 
 The control plane repository contains a packaging tool which bundles binaries
diff --git a/package-manifest.toml b/package-manifest.toml
@@ -25,6 +25,14 @@ to = "/var/svc/manifest/site/nexus"
 [[package.omicron-nexus.paths]]
 from = "out/console-assets"
 to = "/var/nexus/static"
+# Note, we could just map the whole "out/certs" directory, but this ensures
+# both files exist.
+[[package.omicron-nexus.paths]]
+from = "out/certs/cert.pem"
+to = "/var/nexus/certs/cert.pem"
+[[package.omicron-nexus.paths]]
+from = "out/certs/key.pem"
+to = "/var/nexus/certs/key.pem"
 
 [package.oximeter-collector]
 rust.binary_names = ["oximeter"]
diff --git a/sled-agent/src/services.rs b/sled-agent/src/services.rs
@@ -324,7 +324,12 @@ impl ServiceManager {
                         dropshot_external: ConfigDropshot {
                             bind_address: SocketAddr::V6(external_address),
                             request_body_max_bytes: 1048576,
-                            ..Default::default()
+                            tls: Some(
+                                dropshot::ConfigTls {
+                                    cert_file: PathBuf::from("/var/nexus/certs/cert.pem"),
+                                    key_file: PathBuf::from("/var/nexus/certs/key.pem"),
+                                }
+                            ),
                         },
                         dropshot_internal: ConfigDropshot {
                             bind_address: SocketAddr::V6(internal_address),
diff --git a/tools/create_self_signed_cert.sh b/tools/create_self_signed_cert.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Creates a self-signed certificate.
+#
+# For those with access, certificates are available in:
+#
+# https://github.com/oxidecomputer/configs/tree/master/nginx/ssl/wildcard.oxide-preview.com
+
+set -eu
+
+# Set the CWD to Omicron's source.
+SOURCE_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+cd "${SOURCE_DIR}/.."
+
+OUTPUT_DIR="out/certs"
+CERT_PATH="$OUTPUT_DIR/cert.pem"
+KEY_PATH="$OUTPUT_DIR/key.pem"
+
+mkdir -p "$OUTPUT_DIR"
+
+openssl req -newkey rsa:4096 \
+            -x509 \
+            -sha256 \
+            -days 3650 \
+            -nodes \
+            -out "$CERT_PATH" \
+            -keyout "$KEY_PATH" \
+            -subj '/CN=localhost'
