Automatic TLS certificate provisioning for sndctl devices. Zero configuration HTTPS for every device.
This server provisions TLS certificates for sndctl devices, enabling HTTPS without requiring customers to configure anything. Each device contacts this server on first boot to receive a valid, publicly-trusted certificate.
Devices get valid certificates automatically on first boot
Certificates are automatically renewed before expiry
Pre-provision and manage devices through the admin portal
Administrators pre-provision devices in the system through the admin portal. Each device receives a unique ID and secret that will be embedded in the device firmware.
On first boot, the device calls POST /api/register with its device ID and secret. The server validates credentials and initiates certificate provisioning.
The server uses the ACME protocol with DNS-01 challenge to obtain a valid TLS certificate from Let's Encrypt. The certificate is issued for the device's unique hostname (e.g., abc123.sonoshub.io).
The device receives its hostname, certificate, and private key. It configures its web server (Caddy) to serve HTTPS with the provisioned certificate.
Before certificates expire, devices call POST /api/renew to obtain new certificates. The server handles the renewal process automatically.
/api/register
Register a device and obtain its initial TLS certificate.
X-Device-Secret: <device-secret>
{ "deviceId": "abc123def456" }
/api/renew
Renew an existing device's TLS certificate before expiry.
X-Device-Secret: <device-secret>
{ "deviceId": "abc123def456", "hostname": "abc123def456.sonoshub.io" }
/api/health
Health check endpoint to verify the server is running.