TLS & Certificates
OmniBus serves HTTPS out of the box and gives you three ways to make browsers trust it.
Built-in internal CA (default)
On first boot OmniBus generates:
- A Root CA (10-year), and
- A leaf certificate (~27 months) signed by it for the server.
The leaf's SAN list is regenerated automatically when the hostname or any non-loopback IPv4 address changes, so the certificate keeps matching how you reach the box.
Files live in the data directory: ca-key.pem (0600), ca-cert.pem (0644),
key.pem (0600), cert.pem (0644).
Make the warning go away — install the Root CA once
Because the leaf is signed by a CA your browser doesn't know, you get a certificate warning the first time. Rather than click past it forever:
- Download the Root CA (no login required):
This endpoint is unauthenticated on purpose — the CA is a public credential, safe to hand out.GET http://<host>/api/system/ca-cert
- Install it once in your OS / browser trust store.
- You'll never see the warning again on this device — even after the leaf rotates, because your machine now trusts the issuing CA.
Reverse proxy with auto-cert (recommended for public names)
Front OmniBus with Caddy or nginx and let the proxy terminate TLS. With Caddy it's one line:
omnibus.example.com {
reverse_proxy localhost:80
}
Caddy provisions and renews a Let's Encrypt certificate automatically; OmniBus
stays on plain HTTP behind it. OmniBus is already configured to trust the
proxy's X-Forwarded-For, so the audit log records the real client IP.
Bring your own public certificate
Set OMNIBUS_TLS_CERT and OMNIBUS_TLS_KEY to PEM file paths (e.g. a Let's
Encrypt cert) and OmniBus serves HTTPS with them directly. The internal CA
scaffolding stays in place for downloads but is harmless when the leaf is
publicly trusted.
On a systemd install, set these in a drop-in:
sudo systemctl edit omnibus
# [Service]
# Environment=OMNIBUS_TLS_CERT=/etc/omnibus/fullchain.pem
# Environment=OMNIBUS_TLS_KEY=/etc/omnibus/privkey.pem
sudo systemctl restart omnibus