cockpit-doc 164-1 / usr / share / doc / cockpit / guide / https.html

This file is indexed.

/usr/share/doc/cockpit/guide/https.html is in cockpit-doc 164-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>SSL/TLS Usage</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
<link rel="home" href="index.html" title="Cockpit Guide">
<link rel="up" href="guide.html" title="Part I. Deployment Guide">
<link rel="prev" href="cockpit-bridge.1.html" title="cockpit-bridge">
<link rel="next" href="listen.html" title="TCP Port and Address">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
<td><a accesskey="p" href="cockpit-bridge.1.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
<td><a accesskey="u" href="guide.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
<th width="100%" align="center">Cockpit Guide</th>
<td><a accesskey="n" href="listen.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
</tr></table>
<div class="chapter">
<div class="titlepage"><div><div><h2 class="title">
<a name="https"></a>SSL/TLS Usage</h2></div></div></div>
<div class="toc"><dl class="toc">
<dt><span class="section"><a href="https.html#https-required">HTTPS Requirement</a></span></dt>
<dt><span class="section"><a href="https.html#https-certificates">Certificates</a></span></dt>
<dt><span class="section"><a href="https.html#https-compat">SSL Versions and Ciphers</a></span></dt>
</dl></div>
<p>Cockpit usually requires that web browsers communicate with it using HTTPS,
    for security reasons.</p>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="https-required"></a>HTTPS Requirement</h2></div></div></div>
<p>Cockpit listens for both HTTP and HTTPS connections on the same port, by
      default 9090. If an HTTP connection is made, Cockpit will redirect that
      connection to HTTPS. There are some exceptions:</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>If an HTTP connection comes from <code class="code">127.0.0.0/8</code>, then
        Cockpit will allow communication without redirecting to HTTPS.</p></li>
<li class="listitem"><p>Certain URLs, like <code class="code">/ping</code> are not required to use
        HTTPS.</p></li>
</ul></div>
<p>This behavior can be overridden by setting the
      <code class="code">AllowUnencrypted</code> option in <code class="code">cockpit.conf</code>.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="https-certificates"></a>Certificates</h2></div></div></div>
<p>Cockpit will load a certificate from the <code class="code">/etc/cockpit/ws-certs.d</code>
      directory. It will use the last file with a <code class="code">.cert</code> extension in
      alphabetical order. The <code class="literal">.cert</code> file should contain at least two
      OpenSSL style PEM blocks. First one or more <code class="literal">BEGIN CERTIFICATE</code>
      blocks for the server certificate and the intermediate certificate authorities
      and a last one containing a <code class="literal">BEGIN PRIVATE KEY</code> or similar.
      The key may not be encrypted. For example:</p>
<pre class="programlisting">
-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIJAPXW+CuNYS6QMA0GCSqGSIb3DQEBCwUAMD8xKTAnBgNV
BAoMIGI0OGE2NGNkNmMwNTQ1YThhZTgxOTEzZDE5YmJjMmRjMRIwEAYDVQQDDAls
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIJAPXW+CuNYS6QMA0GCSqGSIb3DQEBCwUAMD8xKTAnBgNV
BAoMIGI0OGE2NGNkNmMwNTQ1YThhZTgxOTEzZDE5YmJjMmRjMRIwEAYDVQQDDAls
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyOJ5garOYw0sm
8TBCDSqQ/H1awGMzDYdB11xuHHsxYS2VepPMzMzryHR137I4dGFLhvdTvJUH8lUS
...
-----END PRIVATE KEY-----
</pre>
<p>If no certificate is found, a self-signed certificate is created and
      stored in the <code class="filename">0-self-signed.cert</code> file. On some
      platforms, Cockpit will also generate a ca.crt in that directory, which
      may be safely imported into client browsers.</p>
<p>To check which certificate <code class="code">cockpit-ws</code> will use run
      the following command.</p>
<pre class="programlisting">
$ sudo remotectl certificate
</pre>
<p>If using <code class="code">certmonger</code> to manage certificates, following command can
    be used to automatically prepare concatenated .cert file:</p>
<pre class="programlisting">
CERT_FILE=/etc/pki/tls/certs/$(hostname).pem
KEY_FILE=/etc/pki/tls/private/$(hostname).key

getcert request -f ${CERT_FILE} -k ${KEY_FILE} -D $(hostname --fqdn) -C "sed -n w/etc/cockpit/ws-certs.d/50-from-certmonger.cert ${CERT_FILE} ${KEY_FILE}"
    </pre>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="https-compat"></a>SSL Versions and Ciphers</h2></div></div></div>
<p>By default Cockpit will only use modern secure ciphers and versions of TLS.
      In particular SSL v3.0 is disabled by default, as well as the RC4 cipher.</p>
<p>If you wish to enable these legacy protocols and algorithms you can do so
      by passing an environment variable to cockpit-ws. Place the following in the
      <code class="code">/etc/systemd/system/cockpit.service.d/ssl.conf</code> file. Create the
      file and directories in that path which don't already exist.</p>
<pre class="programlisting">
[Service]
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:%COMPAT
</pre>
<p>The environment variable value is a
      <a class="ulink" href="http://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings" target="_top">GnuTLS priority string</a>.</p>
</div>
</div>
<div class="footer"><hr></div>
</body>
</html>

APT Browse - Built by Thomas Orozco.