TLS - FrankoonG/hy2scale GitHub Wiki
π English | δΈζ | νκ΅μ΄
TLS Certificate Management
HY2 SCALE ships with a small PKI UI that covers the certificates needed by Hysteria 2, the web UI, and IKEv2 MSCHAPv2.
Certificate storage
Certificates live under /data/tls/:
/data/tls/
βββ default.crt # PEM certificate
βββ default.key # private key
βββ default.name # display name
Each certificate is a triple {id}.crt, {id}.key, {id}.name.
Default certificate
On first boot, a self-signed certificate is auto-generated:
- ID β
default - Algorithm β ECDSA P-256
- Validity β 10 years
- CN/SAN β node ID + derived domains
This is what the Hysteria 2 QUIC server uses out of the box. Replace it any time.
Operations
The TLS table follows HY2 SCALE's shared select-then-act pattern: single-click a certificate row to single-select, then use the green Edit button at the top right of the card (between Bulk Delete and + New). Click anywhere outside the card body β page heading, card header β to clear a single-row selection (multi-select is sticky). The leading checkbox cell is the entire padded area, not just the small input.
Generate
Click + New, fill in:
| Field | Description |
|---|---|
| Name | display name |
| Domains | Subject Alternative Names (comma-separated) |
| Days | validity in days (default 3650) |
| CA | tick to produce a CA certificate |
Generated certs use ECDSA P-256 with a random 128-bit serial.
Import PEM
Paste certificate and private key as PEM text.
Import from Path
Point the UI at existing files on disk (/etc/letsencrypt/live/example.com/fullchain.pem). The files are copied into /data/tls/ β later edits to the originals are not tracked.
Sign with CA
If you have a CA cert in the list, use Sign: pick the signer, enter subject CN and SANs, set validity, and the new leaf certificate appears with a CA badge linking back to its parent.
Export
The PEM button on each certificate streams it back to you.
Delete
Warning β do not delete a certificate that is actively used by Hysteria 2, HTTPS, or IKEv2 without first pointing those services at a different cert. Deleting an in-use cert breaks the service until reconfigured.
Where certificates are used
| Service | Role |
|---|---|
| Hysteria 2 | required β QUIC TLS |
| Web UI HTTPS | optional β HTTPS for /scale |
| IKEv2 MSCHAPv2 | required β server authenticates to clients |
Hysteria 2
The default self-signed cert works for mesh relay (peers set insecure: true or pin the cert via ca). For public Hysteria 2 clients, swap in a real certificate from Let's Encrypt or your own CA.
HTTPS web UI
Pick a cert under Settings β Web β HTTPS. HTTP requests redirect to HTTPS thereafter.
IKEv2 MSCHAPv2 β CA workflow
MSCHAPv2 needs a server cert that clients trust. The recommended flow:
- Generate a CA certificate (tick the CA box).
- In Proxies β IKEv2/IPsec, pick the CA as the server cert selector.
- On startup, HY2 SCALE auto-mints a server certificate signed by the CA, with CN/SAN matching
local_id. The mint algorithm is RSA-2048 for maximum client compatibility (iOS / macOS / Windows / Android). - Export the CA cert and install it on every client device.
- Clients then trust the server and authenticate with their HY2 SCALE username + password.
CA certificates at a glance
CA certs show a CA badge in the list. Leaf certs show their signer name. Use the PKI to:
- sign IKEv2 server certs automatically
- sign sub-certs for other internal services
- establish a small mesh-wide PKI without external dependencies