Feature: Certificates - cockpit-project/cockpit GitHub Wiki

Overview

Cockpit currently defaults to self-signed certificates, with no obvious way to change this. The user experience, especially for first-time use, should be improved.

Problem description

Invalid (including self-signed) certificates can be worked-around in many browsers (Firefox and Chrome), but not all (Safari, including iOS). Even in the best case scenario, where it's possible to accept invalid certificates, browsers show a bunch of scary warning language and usually show odd interface choices.

Goal

Make it easy to use a valid certificate in Cockpit.

Blocking

Bad certificates stop the following:

  • iPhone & iPad usage
  • Ease of use for common desktop browsers
  • Future browsers which may stop accepting invalid certificates as a workaround (Firefox and Chrome both have been tightening down TLS)
  • Good security practices

Stories

TBD

Solutions

We should implement as many solutions as we can. Some of these will work in some cases (Letsencrypt for a host that's exposed to the Internet) and some will be needed for others (Cockpit UI for uploading an existing cert, for those not familiar with Linux).

To-be-implemented

  1. Better documentation
    • The website should have a quick start page, linked and/or included from the running page
    • Mentioned from within Cockpit (see point #3)
    • Mentioned (& linked?) at the Cockpit log in screen
  2. Cockpit-based UI to add certificates (letsencrypt / upload)
    • used in a browser where a self-signed cert has been accepted
    • intended for first-run (after temporarily accepting self-signed cert)
    • also used for an expiring certificate
    • could upload cert files individually or contained in a zip (or tgz)
  3. Prominent warning within Cockpit itself, with a link to fix it (using the Cockpit-based UI in #2)
  4. Automatically use a cert from a FreeIPA domain, if it applies (done)
  5. Kickstart directive for installing certs (mentioned by @sgallagh; probably has one of "the biggest effect-vs-effort ratios")

Implemented solutions

  1. Command line helper command to fix certificate issues (by running letsencrypt or installing a certificate)
  2. Cockpit Guide: HTTPS
  3. FreeIPA integration
  4. Docu for use with LetsEncrypt withou apache:
    https://github.com/cockpit-project/cockpit/wiki/Cockpit-with-LetsEncrypt