When adding a new cluster the following command must be used:
flynn cluster add -p <tls pin> <cluster name> <controller domain> <controller key>
Where do you obtain the <tls pin>?
Asked
Active
Viewed 474 times
2
Alejandro Escobar
- 174
- 2
- 8
3 Answers
7
You can generate the TLS Pin with the following command:
openssl s_client -connect controller.$CLUSTER_DOMAIN:443 \
-servername controller.$CLUSTER_DOMAIN 2>/dev/null </dev/null \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
| openssl x509 -inform PEM -outform DER \
| openssl dgst -binary -sha256 \
| openssl base64
(be sure to set CLUSTER_DOMAIN first, e.g. CLUSTER_DOMAIN=xxxx.flynnhub.com)
Robin Daugherty
- 7,115
- 4
- 45
- 59
jvatic
- 3,485
- 2
- 20
- 27
-
1It's worth noting that this is only necessary if you have lost the `flynn cluster add` command (printed at the end of manual installation) and the `~/.flynnrc` file created by that command or `flynn install`. – titanous Oct 19 '16 at 19:50
1
If you set up a client machine with the Flynn CLI, you can find the TLS pin in the ~/.flynnrc file on that machine. It looks like this:
[[cluster]]
Name = "flynn-cluster"
Key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
TLSPin = "------> THE TLS PIN <-------"
ControllerURL = "https://controller.xxxx.flynnhub.com"
GitURL = "https://git.xxxx.flynnhub.com"
Robin Daugherty
- 7,115
- 4
- 45
- 59
Simon Soriano
- 803
- 12
- 19
1
Answer from jvatic didn't work with a self-signed cert for me so I obtained the TLS Pin by logging into flynn node and running this bash one-liner monstrosity on it:
flynn-host inspect $(flynn-host ps | grep router | head -n1 | cut -f1 -d ' ') | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \
sed -e 's/ENV\[TLSCERT\]\s\+//g' | \
openssl x509 -inform PEM -outform DER | \
openssl dgst -binary -sha256 | openssl base64
Robin Daugherty
- 7,115
- 4
- 45
- 59
Onni Hakala
- 563
- 4
- 18