[RFC] self-signed certificates for LuCI
Michael Richardson
mcr at sandelman.ca
Mon Aug 31 14:06:49 EDT 2020
Bjørn Mork <bjorn at mork.no> wrote:
>> I have running code that deploys LetsEncrypt certificates to devices in the
>> "factory". This requires a DNS name for dns-01 challenge.
>> That's clearly not feasible for random end-users who flash openwrt on their own.
>> I would like to explore some additional options here.
> Do you set up the device to periodically renew this certificate? Or do
> you let your managment system renew and push? What if the device is
> disconnected for longer periods? Will the certifcate be renewed on next
> boot?
Both are problems and todos.
Do don't push certificates, we will pull them when we write the renewal code.
If the device is disconnected for a long period, and then is reconnected,
then it will be renewed on next boot.
The *challenge* is that the device might get connectivity until a human puts a
correct PPPoE username/password into it.
This is not a problem in every environment.
In some places, PPPoE is on the wane because of FTTH, in others, it is used
even more thanks to FTTN deployments... Often TPIA is only meaningfully
deployable when there is PPPoE.
That might not be possible until the device has a valid certificate on it...
I am considering if we can retrieve the valid certificate using an App,
(via LTE) and then push it to the device using HTTP. It's public info,
and it's easy to validate if the device got a correct certificate.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200831/ae7592e3/attachment.sig>
More information about the openwrt-devel
mailing list