Devices authenticate using mTLS and your FoundriesFactory® PKI. You will need access to your Factory CA in order to create a TLS certificate for device-facing APIs.
Download the latest update server from:
https://github.com/foundriesio/update-server/releases
Save as fioserver.
For Linux and Mac, make sure to chmod +x fioserver.
Devices need to trust the TLS connection they make to this server. In order to do this, you must create a CSR to be signed with the Factory root key:
./fioserver --datadir=./datadir create-csr --dnsname <HOSTNAME> --factory <FACTORY>
Copy datadir/certs/tls.csr to the computer with your factory PKI. This
file does not contain sensitive information, so it is safe to share as
needed. From the factory PKI directory run:
fioctl keys ca sign --pki-dir <path to your factory pki> <path to tls.csr>
This command will print the contents of the certificate. The contents are
not sensitive. Go back to the update server system and create the
file datadir/certs/tls.pem with this content.
This service needs to know what devices can connect to it. You can allow all valid factory devices to connect with:
fioctl keys ca show --just-device-cas > datadir/certs/cas.pem
The update server includes a few authentication providers
for user-facing APIs. The "noauth" provider is handy for starting up a
quick local environment for testing and evaluation. Running
auth-init --test will setup an HMAC encryption key for API
tokens and web sessions, as well as the "noauth" provider.
./fioserver --datadir=./datadir auth-init --test
./fioserv serve --datadir=datadir
You can browse the UI at http://localhost:8080/
Devices can now connect to the server.
The /var/sota/sota.toml file has several "server" settings that need to point
to this new server:
tls.serverprovision.serveruptane.repo_serverpacman.ostree_serverpacman.compose_apps_proxy = "https://<HOSTNAME>:8443/app-proxy-url"