Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
XIII
3 years agoTrusted Contributor
How to set up TLS for 1Password Connect?
The documentation on setting up TLS for 1Password Connect is too brief for me...
- Where do I need to set
OP_HTTPS_PORT
? (On the Pi running Connect? On each client running the CLI? On all of them?) - Which changes do I need to make to the Docker compose file? (if any)
- How can I verify that HTTPS is used?
- How can I verify that HTTP is no longer used?
1Password Version: 1Password CLI 2.0.0
Extension Version: n/a
OS Version: Raspberry Pi OS (bullseye, 32 bit)
- Former Member
Hi,
Thanks for reaching out. We're on a continuous journey to improve our docs, so telling us what parts aren't 100% clear is really valuable feedback!
To help you as well as possible, could you help me understand your specific use-case a bit better?
- Should this Connect instance be reachable from the public internet?
- If so, do you have a domain that can (or already does) point to the Raspberry Pi?
This could help me understand whether we can better use Let's Encrypt or create a self-signed TLS-certificate. We can help you out with either option.
Joris
- XIIITrusted Contributor
- I do not want the 1Password Connect server to be publicly available from the internet.
- I do have a domain (and a Let's Encrypt wildcard TLS certificate for that domain) that I can redirect to the Pi; either via the (Cloudflare) DNS settings of that domain or via a NextDNS "rewrite" (
1p-connect.domain.com
->pi.home.lan
?).
I still want to use TLS on my LAN.
- XIIITrusted Contributor
I really need your help here!
This is what I tried:
For 1Password Connect:
OP_HTTPS_PORT=18843
OP_TLS_KEY_FILE=/usr/local/etc/1password/privkey.pem
OP_TLS_CERT_FILE=/usr/local/etc/1password/cert.pem
For 1Password CLI:
OP_CONNECT_HOST=https://1password.domain.com:18843
Set up a NextDNS rewrite (mapping the domain name to the IP address of my Raspberry Pi):
1password.domain.com = 192.168.1.102
ā dig +short 1password.domain.com
192.168.1.102
However:
op read op://Vault/account/password
[ERROR] 2022/03/16 22:18:49 could not read secret op://Vault/account/password: could not retrieve vaults: Get "https://1password.domain.com:18843/v1/vaults": http: server gave HTTP response to HTTPS client
- XIIITrusted Contributor
I was hoping this post would help: https://1password.community/discussion/121733/https-support-on-the-api
I seem to get a little further:
ā journalctl -f -u 1password-connect
-- Journal begins at Thu 2022-03-10 09:08:15 CET. --
Mar 16 23:11:13 pi docker-compose[11193]: 1password-connect-sync | {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-03-16T22:11:13.805333444Z","level":2}
Mar 16 23:11:13 pi docker-compose[11193]: 1password-connect-api | {"log_message":"(I) configured for HTTPS with custom configuration","timestamp":"2022-03-16T22:11:13.872360052Z","level":3}
Mar 16 23:11:13 pi docker-compose[11193]: 1password-connect-api | {"log_message":"(I) starting 1Password Connect API ...","timestamp":"2022-03-16T22:11:13.873309733Z","level":3}
Mar 16 23:11:13 pi docker-compose[11193]: 1password-connect-api | {"log_message":"(I) serving on :18843","timestamp":"2022-03-16T22:11:13.873427753Z","level":3}
However:
ā op read op://Vault/account/password
[ERROR] 2022/03/16 23:16:39 could not read secret op://Vault/account/password: could not retrieve vaults: Get "https://1password.domain.com:18843/v1/vaults": dial tcp 192.168.1.102:18843: connect: connection refused
Note that I have this firewall rule:
ā ufw status
18843/tcp ALLOW 192.168.0.0/16
- XIIITrusted Contributor
@1PBusinessUser Would you be willing to share your setup?
Unfortunately 1Password has still not documented this and is a bit slow to respond... š¢
- Former Member
Sorry for the delayed reply. Contrary to most folks at 1Password, I live in Europe. So I sign off a bit earlier than you might be used to from my colleagues.
I do see you made some great progress! Looking at Connect's logs, it seems to be listening to HTTPS traffic only.
Could you check if port
18843
is also specified in thedocker-compose.yml
? Now that Connect is listening on port 18843, we have to make sure that Docker is also forwarding that port. You can do that by changing theports
section of theconnect-api
container:
services:
connect-api:
# left out some stuff here
ports:
- "18843:18843"
# left out more stuff here
Let me know if that helps.
Joris
- XIIITrusted Contributor
This post was exactly what I needed. Thanks!
I was using
18843:8843
instead of18843:18843
... š²It works now!
PS: I live in Europe too. Good to know that 1Password has a presence in Europe and respects business hours. Maybe I should look for job openings someday...
- XIIITrusted Contributor
Partially off-topic, but security related, so I hope it's allowed:
I would like the
*.pem
files to only be readable by root, but still share them with the Docker container.Is this possible? If so, how? If not, what's the best practice here?
(I'm relatively new to Docker...)
- Former Member
It works now!
Awesome! š
Partially off-topic, but security related, so I hope it's allowed:
I would like the *.pem files to only be readable by root, but still share them with the Docker container.
Is this possible? If so, how? If not, what's the best practice here?
Of course that is allowed! Unfortunately, it is somewhat of a problematic thing with Docker. There is no way to mount a file with different permissions than on the host. That means that if the file is accessible by
root
only, the container have to run as root to read the file. The latter is generally considered to be a bad practice. That is also the reason why Connect's images use a custom user.What you can give a try though, is:
sudo chown 999 <pem-file>
andsudo chmod 600 <pem-file>
. That will make the user with UID 999 (the UID that is used within Connect's containers) owner of the file and the only user that can read it. Connect should still be able to read the file and any user except for user 999 androot
should not be able to read it. - XIIITrusted Contributor
Unfortunately I already have a user with UID 999 for other purposes.
Maybe I can change that? š¤ I'm afraid that will break a lot on my Pi...
https://www.thegeekdiary.com/how-to-correctly-change-the-uid-and-gid-of-a-user-group-in-linux/
Will I break Connect if I try to change the UID in the container instead, using this?
user: "<some uid other than 999>:<some gid>"