Documentation for how to use TLS connection type without self-signed certs #703
Replies: 1 comment
-
Sorry for the late reply. The zrepl TLS transport is basically mutual TLS. Unlike, say, HTTPS, the serving-side needs to know the client. Technically, you could use the LetsEncrypt CA as the If the Let's Encrypt CA is part of the system trust store (it usually is), you could use that as the However, I don't know if it's advisable to use LetsEncrypt-Issued certs for mTLS. Also, operationally, zrepl doesn't support hot-reloading of TLS certs (#202). Moving this to Q&A. |
Beta Was this translation helpful? Give feedback.
-
Use case: I have a server that already automatically refreshes its certificates with LetsEncrypt via ACME -- meaning that my certs are verifiable against the root certificate distributed with most operating systems and devices.
Consequentially, the whole step where the client needs its own
ca
/cert
/key
files does not make sense.Despite this,
zrepl
seems to ignore the root certs on the device by default, rather than trying to connect as a normal HTTPS client would. I get an error if I try to omit the self-signed cert on thepush
job.Please tell me if this is a supported feature, and if so, how I can handle a conventional root-signed certificate.
Beta Was this translation helpful? Give feedback.
All reactions