TLS is used for node-node communication. This is fairly tricky to setup with Erlang distribution because you have to generate a full CA and keys for it.
The following script is specific to Fly.io, because it generates a CACert for *.internal domains.
cd rel/overlays/tls
rm -f *.{pem,srl,conf}
# Generate the certificate authority
openssl genrsa -out ca-key.pem 2048
openssl req -new -x509 -days 3650 -key ca-key.pem -out ca-cert.pem -subj "/CN=Erlang Cluster CA"
# Generate node private key
openssl genrsa -out node-key.pem 2048
# Create a config file for the certificate request
cat > node-cert.conf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = *.internal
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.internal
DNS.2 = *.vm.*.internal
EOF
# Generate certificate signing request
openssl req -new -key node-key.pem -out node-req.pem -config node-cert.conf
# Sign the certificate with your CA
openssl x509 -req -days 3650 -in node-req.pem -CA ca-cert.pem \
-CAkey ca-key.pem -CAcreateserial -out node-cert.pem \
-extensions v3_req -extfile node-cert.conf
rm -f ca-cert.srl
rm -f ca-key.pem
rm -f node-cert.conf
rm -f node-req.pemThese certificates are not highly sensitive. There's multiple layers of protection (like private networking, access cookies, etc.) that mean having the cert does not provide a connection mechanism.
If your repo is public or the network is not private, then you should treat the cert files as secrets and inject them via ENV into your production servers.
rel/overlays/tls: This contains all tls certs and config, and is included into the final build artifactrel/vm.args.eex: Should include the following:rel/remote.vm.args.eex: Should include the following:
-proto_dist inet6_tls
-ssl_dist_optfile /app/tls/tls_dist.sh
- Important: Make sure that
proto_distis not set somewhere else. This is included in fly config by default, either inrel/env.sh.eexorDockerfile.