From e959403c23d7557ef8f5e0e4ce84553470098bb5 Mon Sep 17 00:00:00 2001 From: Kyle Filz Date: Wed, 30 Jun 2021 23:53:52 -0500 Subject: [PATCH 1/5] docs(onpremise): Document adding custom CA roots --- src/components/sidebar.tsx | 1 + src/docs/self-hosted/custom-ca-roots.mdx | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 src/docs/self-hosted/custom-ca-roots.mdx diff --git a/src/components/sidebar.tsx b/src/components/sidebar.tsx index 7451c843be..516e435267 100644 --- a/src/components/sidebar.tsx +++ b/src/components/sidebar.tsx @@ -107,6 +107,7 @@ export default () => { Geolocation Single Sign-On (SSO) Backup & Restore + Custom CA Roots Versioning & Releases diff --git a/src/docs/self-hosted/custom-ca-roots.mdx b/src/docs/self-hosted/custom-ca-roots.mdx new file mode 100644 index 0000000000..dadc99bdb7 --- /dev/null +++ b/src/docs/self-hosted/custom-ca-roots.mdx @@ -0,0 +1,22 @@ +--- +title: "Self-Hosted Custom CA Roots" +--- + +Starting with Sentry `21.7.0`, if you need to have Sentry access services which do not have TLS certificates from publicly trusted CA roots, it's now possible to easily add them to the containers. Just add the certificates to the `certificates` folder inside the root of your Sentry install and restart the containers. + + + While you can run update-ca-certificates in each container, that will update the system's root bundle on disk, but does nothing for any copies in memory. Restarting the container will update the bundle and make sure it's used. + + +The container's logs will have the output from `update-ca-certificates` right at the start if there is a problem with a given certificate. + +## Dependencies with bundled roots + +Some dependencies have opted to bundle their own CA roots and ingore the system CA roots. Where known, they have been configured to use the system roots. If something seems to ignore the system roots, make an issue so it can be tracked down and fixed. + +### Overridden bundled roots + +- Python + - request + - botocore + - grpc From 5205e430f2123c04ab6fe6bffc208beecc287ff9 Mon Sep 17 00:00:00 2001 From: Chad Whitacre Date: Fri, 16 Jul 2021 09:14:59 -0600 Subject: [PATCH 2/5] Picking a few nits --- src/docs/self-hosted/custom-ca-roots.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/docs/self-hosted/custom-ca-roots.mdx b/src/docs/self-hosted/custom-ca-roots.mdx index dadc99bdb7..93ce5b1ce8 100644 --- a/src/docs/self-hosted/custom-ca-roots.mdx +++ b/src/docs/self-hosted/custom-ca-roots.mdx @@ -2,7 +2,7 @@ title: "Self-Hosted Custom CA Roots" --- -Starting with Sentry `21.7.0`, if you need to have Sentry access services which do not have TLS certificates from publicly trusted CA roots, it's now possible to easily add them to the containers. Just add the certificates to the `certificates` folder inside the root of your Sentry install and restart the containers. +Starting with Sentry `21.8.0`, if you need to have Sentry access services which do not have TLS certificates from publicly trusted CA roots, it's now possible to easily add them to the containers. Just add the certificates to the `certificates` folder inside the root of your Sentry install and restart the containers. While you can run update-ca-certificates in each container, that will update the system's root bundle on disk, but does nothing for any copies in memory. Restarting the container will update the bundle and make sure it's used. @@ -12,11 +12,11 @@ The container's logs will have the output from `update-ca-certificates` right at ## Dependencies with bundled roots -Some dependencies have opted to bundle their own CA roots and ingore the system CA roots. Where known, they have been configured to use the system roots. If something seems to ignore the system roots, make an issue so it can be tracked down and fixed. +Some dependencies have opted to bundle their own CA roots and ignore the system CA roots. Where known, they have been configured to use the system roots. If something seems to ignore the system roots, make an issue so it can be tracked down and fixed. ### Overridden bundled roots - Python - - request + - requests - botocore - grpc From 9e23d40bc60046a9abd9966bff7f05bc2b289afb Mon Sep 17 00:00:00 2001 From: Chad Whitacre Date: Fri, 16 Jul 2021 11:32:37 -0400 Subject: [PATCH 3/5] A couple more small changes - Fiddle with nav - Fiddle with formatting --- src/components/sidebar.tsx | 2 +- src/docs/self-hosted/custom-ca-roots.mdx | 10 +++++----- src/docs/self-hosted/index.mdx | 1 + 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/components/sidebar.tsx b/src/components/sidebar.tsx index 516e435267..9fd7914da0 100644 --- a/src/components/sidebar.tsx +++ b/src/components/sidebar.tsx @@ -103,11 +103,11 @@ export default () => {
    Overview + Custom CA Roots Email Geolocation Single Sign-On (SSO) Backup & Restore - Custom CA Roots Versioning & Releases diff --git a/src/docs/self-hosted/custom-ca-roots.mdx b/src/docs/self-hosted/custom-ca-roots.mdx index 93ce5b1ce8..88c3762330 100644 --- a/src/docs/self-hosted/custom-ca-roots.mdx +++ b/src/docs/self-hosted/custom-ca-roots.mdx @@ -10,13 +10,13 @@ Starting with Sentry `21.8.0`, if you need to have Sentry access services which The container's logs will have the output from `update-ca-certificates` right at the start if there is a problem with a given certificate. -## Dependencies with bundled roots +## Dependencies With Bundled Roots Some dependencies have opted to bundle their own CA roots and ignore the system CA roots. Where known, they have been configured to use the system roots. If something seems to ignore the system roots, make an issue so it can be tracked down and fixed. -### Overridden bundled roots +### Overridden Bundled Roots - Python - - requests - - botocore - - grpc + - `requests` + - `botocore` + - `grpc` diff --git a/src/docs/self-hosted/index.mdx b/src/docs/self-hosted/index.mdx index a77e23161e..464c8dafa5 100644 --- a/src/docs/self-hosted/index.mdx +++ b/src/docs/self-hosted/index.mdx @@ -36,6 +36,7 @@ You can find more about configuring Sentry at [the configuration section of our Here is further information on specific configuration topics related to self-hosting: +- [Custom CA Roots](/self-hosted/custom-ca-roots/) - [Email](/self-hosted/email/) - [Geolocation](/self-hosted/geolocation/) - [Single Sign-On (SSO)](/self-hosted/sso/) From c1c71dc95c82211cda455679607b7b394daf559e Mon Sep 17 00:00:00 2001 From: Chad Whitacre Date: Fri, 16 Jul 2021 16:15:22 -0400 Subject: [PATCH 4/5] Add links and note on relation to defaults --- src/docs/self-hosted/custom-ca-roots.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/docs/self-hosted/custom-ca-roots.mdx b/src/docs/self-hosted/custom-ca-roots.mdx index 88c3762330..a1a0ee29dc 100644 --- a/src/docs/self-hosted/custom-ca-roots.mdx +++ b/src/docs/self-hosted/custom-ca-roots.mdx @@ -2,17 +2,17 @@ title: "Self-Hosted Custom CA Roots" --- -Starting with Sentry `21.8.0`, if you need to have Sentry access services which do not have TLS certificates from publicly trusted CA roots, it's now possible to easily add them to the containers. Just add the certificates to the `certificates` folder inside the root of your Sentry install and restart the containers. +Starting with Sentry `21.8.0`, if you need to have Sentry access services which do not have TLS certificates from publicly trusted CA roots, it's now possible to easily add them to the containers. Just add the certificates to the `certificates` folder inside the root of your Sentry install and restart the containers.Your custom CA roots will be used in addition to the publicly trusted CA roots. - While you can run update-ca-certificates in each container, that will update the system's root bundle on disk, but does nothing for any copies in memory. Restarting the container will update the bundle and make sure it's used. + While you can run update-ca-certificates in each container, that will update the system's root bundle on disk, but does nothing for any copies in memory. Restarting the container will update the bundle and make sure it's used. The container's logs will have the output from `update-ca-certificates` right at the start if there is a problem with a given certificate. ## Dependencies With Bundled Roots -Some dependencies have opted to bundle their own CA roots and ignore the system CA roots. Where known, they have been configured to use the system roots. If something seems to ignore the system roots, make an issue so it can be tracked down and fixed. +Some dependencies have opted to bundle their own CA roots and ignore the system CA roots. Where known, they have been configured to use the system roots. If something seems to ignore the system roots, [make an issue](https://github.com/getsentry/onpremise/issues/new?template=bug.yml) so it can be tracked down and fixed. ### Overridden Bundled Roots From 2c51d57bb46865f937af42c1e7694e18f9a66cf1 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 30 Jul 2021 18:43:15 +0300 Subject: [PATCH 5/5] Apply suggestions from code review --- src/docs/self-hosted/custom-ca-roots.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/docs/self-hosted/custom-ca-roots.mdx b/src/docs/self-hosted/custom-ca-roots.mdx index a1a0ee29dc..ee40e80147 100644 --- a/src/docs/self-hosted/custom-ca-roots.mdx +++ b/src/docs/self-hosted/custom-ca-roots.mdx @@ -2,17 +2,17 @@ title: "Self-Hosted Custom CA Roots" --- -Starting with Sentry `21.8.0`, if you need to have Sentry access services which do not have TLS certificates from publicly trusted CA roots, it's now possible to easily add them to the containers. Just add the certificates to the `certificates` folder inside the root of your Sentry install and restart the containers.Your custom CA roots will be used in addition to the publicly trusted CA roots. +Starting with Sentry `21.8.0`, if you need to have Sentry access services which do not have TLS certificates from publicly trusted CA roots, it's now possible to easily add them to the containers. Just add the certificates to the `certificates` folder inside the root of your Sentry install and restart the containers. Your custom CA roots will be used in addition to the publicly trusted CA roots. - While you can run update-ca-certificates in each container, that will update the system's root bundle on disk, but does nothing for any copies in memory. Restarting the container will update the bundle and make sure it's used. + While you can run update-ca-certificates in each container, that will update the system's root bundle on disk, but does nothing for any copies in memory. Restarting the container will update the bundle and make sure it is used. The container's logs will have the output from `update-ca-certificates` right at the start if there is a problem with a given certificate. ## Dependencies With Bundled Roots -Some dependencies have opted to bundle their own CA roots and ignore the system CA roots. Where known, they have been configured to use the system roots. If something seems to ignore the system roots, [make an issue](https://github.com/getsentry/onpremise/issues/new?template=bug.yml) so it can be tracked down and fixed. +Some dependencies have opted to bundle their own CA roots and ignore the system CA roots. Where known, they have been configured to use the system roots. If something seems to ignore the system roots, [create an issue](https://github.com/getsentry/onpremise/issues/new?template=bug.yml) so it can be tracked down and fixed. ### Overridden Bundled Roots