feat: Add SSL Certificate Device and HTTPS Integration #481
+2,943
−726
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add complete SSL certificate management system for HyperBEAM: * dev_ssl_cert device - HTTP API for certificate lifecycle management * hb_acme_client - ACME v2 protocol implementation with Let's Encrypt * hb_ssl_cert_tests - 24 comprehensive tests with structured logging * DNS-01 challenge support for manual TXT record setup * Enhanced error reporting with detailed ACME diagnostics * Works with any DNS provider, staging/production environments
- Replace hb_ao parameter extraction with hb_opts configuration - Update all API endpoints to use ssl_cert_request_id config - Add enhanced error reporting and timeout configuration - Update tests to match new configuration-driven approach
…feat/ssl-cert-device
Major refactor improving code organization and maintainability: SSL Certificate Device: - Extract monolithic functions into focused helpers - Leverage ssl_cert library functions for validation/operations - Add comprehensive documentation and fix pattern matching warnings - Organize with public API at top, internal helpers at bottom HTTP Server: - Reorganize functions by functionality with clear sections - Add module constants for hardcoded values (ports, timeouts, paths) - Eliminate duplicate code with shared utility functions - Add type specifications and comprehensive documentation - Standardize error handling and improve function naming Key benefits: - Better maintainability through focused, single-purpose functions - Increased code reuse by leveraging existing libraries - Production-ready code following Erlang best practices
- Remove complex redirect handling logic that was causing failures - Simplify gun_req function to match old working version - Remove MaxRedirects and redirects_left tracking - Add parse_peer function for simpler peer URL parsing - Use port-based transport detection instead of scheme-based - Remove handle_redirect function and complex redirect following This fixes scheduler test failures where redirects were not being handled correctly.
PeterFarber
changed the title
- Add get_cert/3 and request_cert/3 endpoints to dev_ssl_cert for secure certificate sharing between green zone nodes using AES-256-GCM encryption - Extract encryption/decryption logic into reusable helper functions in dev_green_zone (encrypt_data/2, decrypt_data/3) - Refactor existing green zone code to use centralized crypto helpers - Update hb_http_server to support configurable HTTPS ports and fix protocol field (https -> http2) for proper HTTP version semantics - Improve certificate file handling with automatic directory creation - Use modern Erlang 'maybe' expressions for cleaner error handling - Add comprehensive API documentation and usage examples Breaking changes: - start_https_node/4 -> start_https_node/5 (added HttpsPort parameter) - redirect_to_https/2 -> redirect_to_https/3 (added HttpsPort parameter) - Certificate files now stored in configurable 'certs' directory
PeterFarber
requested review from
noahlevenson,
samcamwilliams and
twilson63
…ption - Remove redundant src_dirs configuration (defaults to [src]) - Remove unused gun_max_redirects option from hb_opts default_message/0
…d modular helpers - Add comprehensive type specifications organized by function groups at top of file - Refactor all main API functions (init/3, join/3, key/3, become/3) to use modern Erlang 'maybe' expressions for cleaner error handling - Extract 15+ helper functions for better modularity and testability: * init/3 helpers: setup_green_zone_config/1, ensure_wallet/1, ensure_aes_key/1 * join/3 helpers: extract_peer_info/1, should_join_peer/3 * join_peer/5 helpers: prepare_join_request/1, verify_peer_response/3, etc. * validate_join/3 helpers: extract_join_request_data/2, process_successful_join/4 * become/3 helpers: validate_become_params/1, request_and_verify_peer_key/3 * key/3 helpers: get_appropriate_wallet/1, build_key_response/2 - Organize internal helper functions by main API function that uses them - Update all function documentation to reflect refactored implementations - Ensure all comment lines are ≤80 characters with proper line wrapping - Improve code readability by eliminating deeply nested case statements - Add comprehensive documentation for all helper functions - Maintain backward compatibility while significantly improving code structure Breaking changes: None (internal refactoring only)
noahlevenson
approved these changes
Sep 19, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This PR introduces a new
dev_ssl_certdevice for automated SSL certificate management using Let's Encrypt ACME v2 with DNS-01 challenges. It enables HyperBEAM nodes to request, finalize, renew, and delete certificates, with support for both staging and production environments. Additionally, it adds secure certificate sharing capabilities between green zone nodes and significantly refactors encryption handling.Key Changes
New Module:
src/dev_ssl_cert.erlimplementing full certificate lifecycle management (request, finalize, renew, delete).New SSL Certificate Sharing Features:
get_cert/3endpoint to encrypt and share certificates with other green zone nodesrequest_cert/3endpoint to securely retrieve and use certificates from peer nodesEncryption Helper Refactoring:
encrypt_data/2,decrypt_data/3) todev_green_zoneServer Enhancements:
hb_http_serverwith HTTPS startup, TLS listener setup, and redirect handling.https→http2) for proper HTTP version semanticscerts/directory)Client Improvements:
hb_http_clientwith redirect handling and transport updates.Configuration Updates:
.gitignore: Added test config files.erlang_ls.config: Simplifiedinclude_dirs.hb_opts: Added new defaults for SSL cert device and HTTP client redirect handling.Breaking Changes
start_https_node/4→start_https_node/5(addedHttpsPortparameter)redirect_to_https/2→redirect_to_https/3(addedHttpsPortparameter)certs/directory instead of current working directoryImpact