New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl connection to XCP-NG using an internal/custom CA certificate #14
Comments
When you add the server to XO, there's a button to enable "Unauthorized Certificates". Did you try that? If you need custom CA, you should be able to mount a volume to your containers /etc/ssl/certs E: actually latter most likely doesn't work out of the box as that use-openssl-ca option isn't set. So not supported/tested currently in this container. |
Hi, Yes, it will work if I enable "Unauthorized Certificates". But that will make the connection between XO and XCP-NG unsecure. I can mount a volume then add my custom CA to /etc/ssl/certs. But I can't figure out how to set the "use-openssl-ca" option. Hopefully, this can be cosidered an option on future versions for this container. Possibly make it available as an env variable that can be set for the container? Thanks |
Hi, No it doesn't, traffic is as much encrypted as it would be with a trusted CA. As XO documentation says, if you manage your own CA, using this feature might make sense. Something like that is usually used in bigger business environments where you'd have multiple hosts and want to centrally manage issuing and lifetime of those certificates. Sure it adds a level of security by blocking traffic if CA doesn't match, but doesn't change the way XO and host communicate in any way. Sure i can take a look if this can be implemented into the container. |
Ok thanks. I did enable "Unauthorized Certificates" for now. Would be cool to expose this option as container variables. Thanks for looking into this. |
I added an option to define custom CA inside container. Just mount your CA as a file to Let me know how it works. The other |
Hi Roni, that worked like a charm. thanks. |
Awesome, thank you. |
I have setup XCP-NG and XO using custom certificates. I can access both Web UIs just fine using HTTPS.
However, I can't add the XCP-NG host as a server in XO using https. It always show this error
"self signed certificate in certificate chain"
Reading the XO documentation and github link below I see 2 things which are recommended to be set:
https://xen-orchestra.com/docs/configuration.html#link-to-xo-web
vatesfr/xen-orchestra#2659
I can see these are applicable with XO installed from the sources and running in a VM or bare metal.
Is there a way this can be applied using this docker image? Or is there a way I can add a xen server via https using custom CAs.
The text was updated successfully, but these errors were encountered: