Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Cockpit currently defaults to self-signed certificates, with no obvious way to change this. The user experience, especially for first-time use, should be improved.
Invalid (including self-signed) certificates can be worked-around in many browsers (Firefox and Chrome), but not all (Safari, including iOS). Even in the best case scenario, where it's possible to accept invalid certificates, browsers show a bunch of scary warning language and usually show odd interface choices.
Make it easy to use a valid certificate in Cockpit.
Bad certificates stop the following:
- iPhone & iPad usage
- Ease of use for common desktop browsers
- Future browsers which may stop accepting invalid certificates as a workaround (Firefox and Chrome both have been tightening down TLS)
- Good security practices
We should implement as many solutions as we can. Some of these will work in some cases (Letsencrypt for a host that's exposed to the Internet) and some will be needed for others (Cockpit UI for uploading an existing cert, for those not familiar with Linux).
- Better documentation
- The website should have a quick start page, linked and/or included from the running page
- Mentioned from within Cockpit (see point #3)
- Mentioned (& linked?) at the Cockpit log in screen
- Cockpit-based UI to add certificates (letsencrypt / upload)
- used in a browser where a self-signed cert has been accepted
- intended for first-run (after temporarily accepting self-signed cert)
- also used for an expiring certificate
- could upload cert files individually or contained in a zip (or tgz)
- Prominent warning within Cockpit itself, with a link to fix it (using the Cockpit-based UI in #2)
- Automatically use a cert from a FreeIPA domain, if it applies (done)
- Kickstart directive for installing certs (mentioned by @sgallagh; probably has one of "the biggest effect-vs-effort ratios")