File: https.adoc

package info (click to toggle)
cockpit 355-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 311,568 kB
  • sloc: javascript: 774,787; python: 40,655; ansic: 35,157; cpp: 11,141; sh: 3,512; makefile: 580; xml: 261
file content (73 lines) | stat: -rw-r--r-- 2,465 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
 
[[https]]
= SSL/TLS Usage

Cockpit usually requires that web browsers communicate with it using
HTTPS, for security reasons.

[[https-required]]
== HTTPS Requirement

Cockpit listens for both HTTP and HTTPS connections on the same port, by
default 9090. If an HTTP connection is made, Cockpit will redirect that
connection to HTTPS. There are some exceptions:

* If an HTTP connection comes from `+localhost+` (`+127.0.0.1+` or
`+::1+`, then Cockpit will allow communication without redirecting to
HTTPS.
* Certain URLs, like `+/ping+` are not required to use HTTPS.

This behavior can be overridden by setting the `+AllowUnencrypted+`
option in `+cockpit.conf+`.

[[https-certificates]]
== Certificates

Cockpit will load a certificate from the `+/etc/cockpit/ws-certs.d+`,
directory, or below `+$XDG_CONFIG_DIRS+` if set (see
link:./cockpit.conf.5.html[cockpit.conf]). It will use the last file
with a `+.cert+` or `+.crt+` extension in alphabetical order. The file
should contain one or more OpenSSL style `+BEGIN CERTIFICATE+` blocks
for the server certificate and the intermediate certificate authorities.

The private key must be contained in a separate file with the same name
as the certificate, but with a `+.key+` suffix instead. The key must not
be encrypted.

If no certificate is found, a self-signed certificate is created and
stored in the `+0-self-signed.cert+` file. On some platforms, Cockpit
will also generate a ca.crt in that directory, which may be safely
imported into client browsers.

Cockpit will read the files as root, so they can have tight permissions.

To check which certificate `+cockpit-ws+` will use run the following
command.

....
$ sudo /usr/libexec/cockpit-certificate-ensure --check
....

Or, on Debian-based systems:

....
$ sudo /usr/lib/cockpit/cockpit-certificate-ensure --check
....

If using `+certmonger+` to manage certificates, following command can be
used to automatically prepare a certificate/key file pair:

....
getcert request -f /etc/cockpit/ws-certs.d/50-certmonger.cert \
                -k /etc/cockpit/ws-certs.d/50-certmonger.key \
                -D myhostname.example.com \
                [--ca=...]
....

This will not work on Red Hat Enterprise Linux 8 by default. Adjust the
SELinux type of the certificate directory to `+cert_t+` to allow
certmonger to write its certificates there:

....
semanage fcontext -a -t cert_t '/etc/cockpit/ws-certs\.d(/.*)?'
restorecon -v /etc/cockpit/ws-certs.d
....