API clients only support one server certificate at a time

[mrmonkington]

I have written a simple python API client app to look up historic flowcell check results across multiple P2-solo hosts.

Unfortunately each of these minknow instances seems to use a secure channel with its own self-signed certificates and the python API client library only allow one ca.crt to be read at runtime via the MINKNOW_TRUSTED_CA environment variable.

According to #77 these certificates are regenerated at boot and daily (though only picked up when Minknow service restarts), and seems to ignore the application_conf configured cert path. This isn't very easy to unpick for anybody starting to write remote API client tools! (Please can you improve the docs for remote connections?)

The quickest fix I can see is to replace the certificates with my own single cert shared across all instances and clients and disable rpc-certs-gend.service. Is that what ONT recommend or are they likely to change things again before #77 is fixed?

[StephDC]

A quick correction:

The certs-gend.timer would start the certs-gend.service once per day at midnight, but if they detected a certificate that is available and usable, it would not overwrite it with a new set of certs. It would just keep the certs in place and do nothing other than fixing the permission (which is still erroneous). That actually helps eliminating 99% of edge cases.

I believe you should be able to keep using the cert you setup from there till it got regenerated due to approaching end of life by the service, or disable that service and timer, and basically taking over the cert update as your own responsibility.