Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
How to set up TLS for 1Password Connect?
The documentation on setting up TLS for 1Password Connect is too brief for me...
- Where do I need to set
OP_HTTPS_PORT? (On the Pi running Connect? On each client running the CLI? On all of them?) - Which changes do I need to make to the Docker compose file? (if any)
- How can I verify that HTTPS is used?
- How can I verify that HTTP is no longer used?
1Password Version: 1Password CLI 2.0.0
Extension Version: n/a
OS Version: Raspberry Pi OS (bullseye, 32 bit)
It works now!
Awesome! š
Partially off-topic, but security related, so I hope it's allowed:
I would like the *.pem files to only be readable by root, but still share them with the Docker container.
Is this possible? If so, how? If not, what's the best practice here?
Of course that is allowed! Unfortunately, it is somewhat of a problematic thing with Docker. There is no way to mount a file with different permissions than on the host. That means that if the file is accessible by
rootonly, the container have to run as root to read the file. The latter is generally considered to be a bad practice. That is also the reason why Connect's images use a custom user.What you can give a try though, is:
sudo chown 999 <pem-file>andsudo chmod 600 <pem-file>. That will make the user with UID 999 (the UID that is used within Connect's containers) owner of the file and the only user that can read it. Connect should still be able to read the file and any user except for user 999 androotshould not be able to read it.Partially off-topic, but security related, so I hope it's allowed:
I would like the
*.pemfiles to only be readable by root, but still share them with the Docker container.Is this possible? If so, how? If not, what's the best practice here?
(I'm relatively new to Docker...)
This post was exactly what I needed. Thanks!
I was using
18843:8843instead of18843:18843... š²It works now!
PS: I live in Europe too. Good to know that 1Password has a presence in Europe and respects business hours. Maybe I should look for job openings someday...
Sorry for the delayed reply. Contrary to most folks at 1Password, I live in Europe. So I sign off a bit earlier than you might be used to from my colleagues.
I do see you made some great progress! Looking at Connect's logs, it seems to be listening to HTTPS traffic only.
Could you check if port
18843is also specified in thedocker-compose.yml? Now that Connect is listening on port 18843, we have to make sure that Docker is also forwarding that port. You can do that by changing theportssection of theconnect-apicontainer:
services:
connect-api:
# left out some stuff here
ports:
- "18843:18843"
# left out more stuff here
Let me know if that helps.
Joris
@1PBusinessUser Would you be willing to share your setup?
Unfortunately 1Password has still not documented this and is a bit slow to respond... š¢
I was hoping this post would help: https://1password.community/discussion/121733/https-support-on-the-api
I seem to get a little further:
ā journalctl -f -u 1password-connect
-- Journal begins at Thu 2022-03-10 09:08:15 CET. --
Mar 16 23:11:13 pi docker-compose[11193]: 1password-connect-sync | {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-03-16T22:11:13.805333444Z","level":2}
Mar 16 23:11:13 pi docker-compose[11193]: 1password-connect-api | {"log_message":"(I) configured for HTTPS with custom configuration","timestamp":"2022-03-16T22:11:13.872360052Z","level":3}
Mar 16 23:11:13 pi docker-compose[11193]: 1password-connect-api | {"log_message":"(I) starting 1Password Connect API ...","timestamp":"2022-03-16T22:11:13.873309733Z","level":3}
Mar 16 23:11:13 pi docker-compose[11193]: 1password-connect-api | {"log_message":"(I) serving on :18843","timestamp":"2022-03-16T22:11:13.873427753Z","level":3}
However:
ā op read op://Vault/account/password
[ERROR] 2022/03/16 23:16:39 could not read secret op://Vault/account/password: could not retrieve vaults: Get "https://1password.domain.com:18843/v1/vaults": dial tcp 192.168.1.102:18843: connect: connection refused
Note that I have this firewall rule:
ā ufw status
18843/tcp ALLOW 192.168.0.0/16
I really need your help here!
This is what I tried:
For 1Password Connect:
OP_HTTPS_PORT=18843
OP_TLS_KEY_FILE=/usr/local/etc/1password/privkey.pem
OP_TLS_CERT_FILE=/usr/local/etc/1password/cert.pem
For 1Password CLI:
OP_CONNECT_HOST=https://1password.domain.com:18843
Set up a NextDNS rewrite (mapping the domain name to the IP address of my Raspberry Pi):
1password.domain.com = 192.168.1.102
ā dig +short 1password.domain.com
192.168.1.102
However:
op read op://Vault/account/password
[ERROR] 2022/03/16 22:18:49 could not read secret op://Vault/account/password: could not retrieve vaults: Get "https://1password.domain.com:18843/v1/vaults": http: server gave HTTP response to HTTPS client
- I do not want the 1Password Connect server to be publicly available from the internet.
- I do have a domain (and a Let's Encrypt wildcard TLS certificate for that domain) that I can redirect to the Pi; either via the (Cloudflare) DNS settings of that domain or via a NextDNS "rewrite" (
1p-connect.domain.com->pi.home.lan?).
I still want to use TLS on my LAN.
Hi,
Thanks for reaching out. We're on a continuous journey to improve our docs, so telling us what parts aren't 100% clear is really valuable feedback!
To help you as well as possible, could you help me understand your specific use-case a bit better?
- Should this Connect instance be reachable from the public internet?
- If so, do you have a domain that can (or already does) point to the Raspberry Pi?
This could help me understand whether we can better use Let's Encrypt or create a self-signed TLS-certificate. We can help you out with either option.
Joris
