How to use self-signed certificates with openvidu-local-deployment in offline environment?

Issues with deployments
1

Hi,

I’m trying to deploy openvidu-local-deployment in an air-gapped environment (no internet access). Currently facing an issue where Caddy fails to obtain certificates for HTTPS since it cannot connect to the internet.

I noticed the Caddy configuration is generated by a program called “local-caddy-generate”.

Questions:

  1. Is the source code for “local-caddy-generate” available?

  2. Is it possible to configure it to use self-signed certificates instead of obtaining them from the internet?

  3. Are there any alternative solutions for using openvidu-local-deployment with self-signed certificates in an offline environment?

  4. Or are there any better deployment solutions specifically designed for air-gapped environments?

Environment:

  • Using openvidu-local-deployment 3.0.0

  • Air-gapped network environment (no internet access)

Thank you for your help!

2

Right now it is not possible to use openvidu-local-deployment with self signed certs, and the source code is not available.

But you can deploy OpenVIdu Single Node which is virtually the same, but focused for production: OpenVidu Single Node installation on-premises - openVidu

You need 2 things:

  1. Configure a Domain name in your LAN which points to the private IP of the host where you want to install OpenVidu
  2. Install OpenVidu following the documentation instructions (Select owncert as certificate type and paste there your certificates).
  3. After install it configure at /opt/openvidu/config/livekit.yaml your private IP:
rtc:
    use_external_ip: false
    node_ip: <your_private_ip>

Note that openvidu-local-deployment is intended to make development easier, but it is not intended for production use cases because the certificates are publicly known.

3

Mmm I am thinking that maybe adding a --lan-network-mode to the OpenVidu installer is maybe a good idea for users which wants to deploy OpenVidu in LAN networks :thinking:

4

The OpenVidu Single Node version doesn’t seem to support offline deployment. There are many network-related dependencies, and even after addressing them one by one, it still fails to connect upon startup. The logs are quite extensive, and it’s difficult to identify the specific issues from them.

Issues I addressed:

  1. Prepared the necessary scripts and Docker images in advance to avoid dependencies on the network during installation.
  2. Preloaded grafana_data/data/plugins to prevent downloads after startup.
  3. Disabled IPv6; otherwise, MongoDB would fail to connect.

After these adjustments, the system seems to start successfully, but nothing can be connected. Accessing http returns a 308 status code, and accessing https results in an error.

# curl -vkL localhost
* About to connect() to localhost port 80 (#0)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost
> Accept: */*
> 
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://localhost/
< Server: Caddy
< Date: Fri, 07 Feb 2025 09:36:07 GMT
< Content-Length: 0
< 
* Closing connection 0
* Issue another request to this URL: 'https://localhost/'
* About to connect() to localhost port 443 (#1)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 443 (#1)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 1
curl: (35) Encountered end of file
5

By the way, I’m using the self-signed mode. This mode should be able to generate certificates in an offline environment, right?

6

Yes, selfsigned does not require internet connection.

Can you show me your caddy logs? Did you tried to use curl against the domain name of your machine?

  1. Disabled IPv6; otherwise, MongoDB would fail to connect.

This will be fixed for cleans installations at 3.1.0. Local connections to MongoDB will be through 127.0.0.1, not localhost.

7

Previously, I made a mistake:

  1. Using the domain name works fine for access.
  2. I am using a public domain name like 192-168-0-153.nip.io.
  3. However, I hope to access the service directly using an IP address or allow any domain name to work. This is because I want to support environments without DNS or network connectivity.

Should I modify the /opt/openvidu/config/caddy.yaml file to achieve this? Is there a simpler method to implement this?

8

Yes, you should probably modify /opt/openvidu/config/caddy.yaml. I think its possible, but we did not test accessing the infrastructure using a single IP.

What you did with nip.io is exactly the best way to use it in a LAN environment.