Feature: Certificates

Overview

Cockpit currently defaults to self-signed certificates, with no obvious way to change this. The user experience, especially for first-time use, should be improved.

Problem description

Invalid (including self-signed) certificates can be worked-around in many browsers (Firefox and Chrome), but not all (Safari, including iOS). Even in the best case scenario, where it's possible to accept invalid certificates, browsers show a bunch of scary warning language and usually show odd interface choices.

Goal

Make it easy to use a valid certificate in Cockpit.

Blocking

Bad certificates stop the following:

• iPhone & iPad usage
• Ease of use for common desktop browsers
• Future browsers which may stop accepting invalid certificates as a workaround (Firefox and Chrome both have been tightening down TLS)
  • It's not a big leap from policies outlined in official blog posts like Moving towards a more secure web and Secure Contexts Everywhere to blocking features Cockpit depends on when an invalid certificate is used
• Good security practices

Stories

TBD

Solutions

We should implement as many solutions as we can. Some of these will work in some cases (Letsencrypt for a host that's exposed to the Internet) and some will be needed for others (Cockpit UI for uploading an existing cert, for those not familiar with Linux).

To-be-implemented

1. Better documentation
   • The website should have a quick start page, linked and/or included from the running page
   • Mentioned from within Cockpit (see point #3)
   • Mentioned (& linked?) at the Cockpit log in screen
2. Cockpit-based UI to add certificates (letsencrypt / upload)
   • used in a browser where a self-signed cert has been accepted
   • intended for first-run (after temporarily accepting self-signed cert)
   • also used for an expiring certificate
   • could upload cert files individually or contained in a zip (or tgz)
3. Prominent warning within Cockpit itself, with a link to fix it (using the Cockpit-based UI in #2)
4. Automatically use a cert from a FreeIPA domain, if it applies (done)
5. Kickstart directive for installing certs (mentioned by @sgallagh; probably has one of "the biggest effect-vs-effort ratios")

Implemented solutions

1. Command line helper command to fix certificate issues (by running letsencrypt or installing a certificate)
   • see remotectl & docs at cockpit-ws #cockpit-ws-transport
2. Cockpit Guide: HTTPS
3. FreeIPA integration
4. Docu for use with LetsEncrypt withou apache:
   https://github.com/cockpit-project/cockpit/wiki/Cockpit-with-LetsEncrypt