How to obtain TLS pin from flynn cluster?

Question

When adding a new cluster the following command must be used:

flynn cluster add -p <tls pin> <cluster name> <controller domain> <controller key>

Where do you obtain the <tls pin>?

Answer 1

You can generate the TLS Pin with the following command:

openssl s_client -connect controller.$CLUSTER_DOMAIN:443 \
  -servername controller.$CLUSTER_DOMAIN 2>/dev/null </dev/null \
  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
  | openssl x509 -inform PEM -outform DER \
  | openssl dgst -binary -sha256 \
  | openssl base64

(be sure to set CLUSTER_DOMAIN first, e.g. CLUSTER_DOMAIN=xxxx.flynnhub.com)

Answer 2

If you set up a client machine with the Flynn CLI, you can find the TLS pin in the ~/.flynnrc file on that machine. It looks like this:

[[cluster]]
  Name = "flynn-cluster"
  Key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  TLSPin = "------> THE TLS PIN <-------"
  ControllerURL = "https://controller.xxxx.flynnhub.com"
  GitURL = "https://git.xxxx.flynnhub.com"

Answer 3

Answer from jvatic didn't work with a self-signed cert for me so I obtained the TLS Pin by logging into flynn node and running this bash one-liner monstrosity on it:

flynn-host inspect $(flynn-host ps | grep router | head -n1 | cut -f1 -d ' ') | \
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \
    sed -e 's/ENV\[TLSCERT\]\s\+//g' | \
    openssl x509 -inform PEM -outform DER | \
    openssl dgst -binary -sha256 | openssl base64