feat(tls): add mkcert-based TLS for HTTPS on port 8443#158
Open
bussyjd wants to merge 1 commit intointegration-okr-1from
Open
feat(tls): add mkcert-based TLS for HTTPS on port 8443#158bussyjd wants to merge 1 commit intointegration-okr-1from
bussyjd wants to merge 1 commit intointegration-okr-1from
Conversation
Enable crypto.subtle in browsers by serving *.obol.stack over HTTPS. This allows OpenClaw's Control UI to use Web Crypto API for device identity (Ed25519 keypair) instead of falling back to token-only auth. - New internal/tls package: cert generation, K8s Secret management - obolup.sh: install mkcert v1.4.4 as optional dependency - stack init: generate wildcard cert for *.obol.stack via mkcert - stack up: create obol-stack-tls Secret, patch helmfile for websecure Gateway listener with HTTPS on port 8443 - openclaw: add websecure parentRef, HTTPS dashboard URL when certs exist - Import gateway token from ~/.openclaw/openclaw.json on setup - Default model switched to gpt-oss:20b-cloud (Ollama cloud) HTTP fallback on port 8080 remains fully functional. allowInsecureAuth kept for HTTP-only environments. Closes #155
Base automatically changed from
feat/wildcard-dns-resolver
to
integration-okr-1
February 13, 2026 14:49
OisinKyne
approved these changes
Feb 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
*.obol.stackwildcard domaininternal/tlspackage handles cert generation, path helpers, and K8s Secret creationobol stack initgenerates trusted certs via mkcert;obol stack upcreates the TLS Secret and patches the Traefik Gateway with awebsecureHTTPS listener on port 8443web(HTTP) andwebsecure(HTTPS) listeners~/.openclaw/openclaw.jsonduring setup (fixes first-deploy validation)gpt-oss:20b-cloud(Ollama cloud)Context
OpenClaw's Control UI requires
crypto.subtle(Web Crypto API) for device identity — browsers only expose this in secure contexts (HTTPS or localhost). Without TLS,http://<instance>.obol.stack:8080forces fallback toallowInsecureAuth: true(token-only auth, no device pairing).This PR enables
https://<instance>.obol.stack:8443socrypto.subtleis available and full device auth works. HTTP fallback on port 8080 remains functional.Note on trust store:
mkcert -installruns duringobol stack init(interactive, can prompt for OS keychain).JAVA_HOMEis stripped from the environment to avoid keytool errors on systems with broken Java keystores.Closes #155
Test plan
go test ./...— all tests pass (TLS, stack helmfile patching, overlay generation)obol stack initgenerates certs to<configDir>/tls/obol stack upcreatesobol-stack-tlsSecret intraefiknamespacecurl https://obol.stack:8443/— TLS 1.3, certificate verified, 200 OKcurl https://openclaw-default.obol.stack:8443/— wildcard SAN match, 200 OKcurl http://obol.stack:8080/— HTTP fallback still works, 200 OKmkcert -installprompts correctly)