Private/public key generation for self-hosted openFN

ibrahimwickama · June 19, 2024, 11:48am

Hello team,

I have tried using the production images, but i’m facing a challenge on private key public key on env file. How are this keys generated or do you already have predefined keys.?

taylordowns2000 · June 19, 2024, 2:39pm

Hey @ibrahimwickama ! Great to see you on the forum .

Here’s the main docs on generating keys: Deployment — Lightning v2.6.3

And for worker keys in particular there’s a mix task (mix lightning.gen_worker_keys) that will do it for you.

Please let me know if this works.

ibrahimwickama · June 19, 2024, 5:33pm

Hey @taylordowns2000

Thanks for the assist, am glad to say that has work great. Just bumped to another Error message for failure to decode PEM.

Any ideas on this…?

taylordowns2000 · June 19, 2024, 8:03pm

failure to decode PEM? oh man, may be beyond my expertise.

@stu , @elias , @rogerio , do you guys have ideas here?

i will look more tomorrow AM too. did you generate all those keys with the mix command? and did you pass them into the ENV?

here’s the line that’s complaining: lightning/config/runtime.exs at main · OpenFn/lightning · GitHub

looks like your key should be base64 encoded before you pass it into the WORKER_RUNS_PRIVATE_KEY environment variable.

hope this helps

ibrahimwickama · June 19, 2024, 8:54pm

Yeah sure thing, the variables were included on .env with base64 key generated by the mix command outputs.

Which were WORKER_RUNS_PRIVATE_KEY,WORKER_SECRET,WORKER_LIGHTNING_PUBLIC_KEY and PRIMARY_ENCRYPTION_KEY

Thus after booting again now it yield’s the above new error faced.

Hope @stu , @elias may help shade some light.

Regards.

taylordowns2000 · June 20, 2024, 6:19am

Hrmm. “Could not decode PEM” is the result we get when

your_key_here |> Base.decode64(padding: false) returns :error.

The whole code block is doing this:

encoded
  |> Base.decode64(padding: false)
  |> case do
    {:ok, pem} -> pem
    :error -> raise "Could not decode PEM"
  end

(src: lightning/config/runtime.exs, line 141-150)

So there is something about how that key is getting set as an environment variable that your system is not liking.

I just did a quick test: if I paste the base64 key that’s generated by the mix command into an interactive Elixir shell (iex) and pipe it into Base.decode64(padding: false) it works like a charm.

If, however, I have a space or a line break before or after the string it returns :error. I hope I’m not sending you on a wild goose chase, but could you possible double check that they key you’re setting as your WORKER_RUNS_PRIVATE_KEY is just the base64 string itself, no spaces or line breaks before or after?

Then two more things that might help debug (if this fails):

What operating system are you using?
Does your .env file look like this: WORKER_RUNS_PRIVATE_KEY="blahblahblahwithnospacesorlinebreaks"

midigofrank · June 20, 2024, 6:34am

Yeah, I have also tried this and it’s working fine.
@ibrahimwickama in addition to double checking spaces, you can also try getting rid of the quotes. i.e. WORKER_RUNS_PRIVATE_KEY=blahblah instead of "blahblah"