I have Kopia operating behind a reverse proxy, and so far everything is good, but I am wondering what happens in 90 days when my initial Lets Encrypt certificate renews.
For clients which have already connected and authenticated using the previous certificate fingerprint, will it be necessary to update with the new fingerprint, and if so does a mechanism exist to automagically do that unattended?
It occurs to me that manually updating many clients every 90 days would be painful, and most probably not viable long term.
I am not quite sure if this will help, but have you looked at the --server-cert-fingerprint
option? See repository connect server | Kopia
Right, actually it is this to which I am referring.
Today after force renewing the Lets Encrypt certificate I have observed that its fingerprint has indeed changed, with the knock on effect that Kopia clients no longer connect.
failed to open repository: unable to establish session for purpose=: error establishing session: Session(): rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: can't find certificate matching SHA256 fingerprint \"a26de3265915d9d7d1eb7453d8e6dcb5cc634d28ce443960c57717ae2ed70e1a\" (server had [d4ad0d4226d5bf8f25862c5a0fce96dd341eb4b0518bc3d55357599f2d92e8d1 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd])"
ERROR: open repository: unable to open repository: unable to establish session for purpose=: error establishing session: Session(): rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: can't find certificate matching SHA256 fingerprint \"a26de3265915d9d7d1eb7453d8e6dcb5cc634d28ce443960c57717ae2ed70e1a\" (server had [d4ad0d4226d5bf8f25862c5a0fce96dd341eb4b0518bc3d55357599f2d92e8d1 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd])"
It would be good to know how other users handle short lived certificates, even those which renew annually could introduce a fair amount of client maintenance.