|
|
|
Cockpit Guide | |
|---|
Cockpit usually requires that web browsers communicate with it using HTTPS, for security reasons.
Cockpit listens for both HTTP and HTTPS connections on the same port, by default 9090. If an HTTP connection is made, Cockpit will redirect that connection to HTTPS. There are some exceptions:
If an HTTP connection comes from 127.0.0.0/8, then
Cockpit will allow communication without redirecting to HTTPS.
Certain URLs, like /ping are not required to use
HTTPS.
This behavior can be overridden by setting the
AllowUnencrypted option in cockpit.conf.
Cockpit will load a certificate from the /etc/cockpit/ws-certs.d
directory. It will use the last file with a .cert extension in
alphabetical order. The .cert file should contain at least two
OpenSSL style PEM blocks. First one or more BEGIN CERTIFICATE
blocks for the server certificate and the intermediate certificate authorities
and a last one containing a BEGIN PRIVATE KEY or similar.
The key may not be encrypted. For example:
-----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIJAPXW+CuNYS6QMA0GCSqGSIb3DQEBCwUAMD8xKTAnBgNV BAoMIGI0OGE2NGNkNmMwNTQ1YThhZTgxOTEzZDE5YmJjMmRjMRIwEAYDVQQDDAls ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIJAPXW+CuNYS6QMA0GCSqGSIb3DQEBCwUAMD8xKTAnBgNV BAoMIGI0OGE2NGNkNmMwNTQ1YThhZTgxOTEzZDE5YmJjMmRjMRIwEAYDVQQDDAls ... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyOJ5garOYw0sm 8TBCDSqQ/H1awGMzDYdB11xuHHsxYS2VepPMzMzryHR137I4dGFLhvdTvJUH8lUS ... -----END PRIVATE KEY-----
If no certificate is found, a self-signed certificate is created and
stored in the 0-self-signed.cert file. On some
platforms, Cockpit will also generate a ca.crt in that directory, which
may be safely imported into client browsers.
To check which certificate cockpit-ws will use run
the following command.
$ sudo remotectl certificate
If using certmonger to manage certificates, following command can
be used to automatically prepare concatenated .cert file:
CERT_FILE=/etc/pki/tls/certs/$(hostname).pem
KEY_FILE=/etc/pki/tls/private/$(hostname).key
getcert request -f ${CERT_FILE} -k ${KEY_FILE} -D $(hostname --fqdn) -C "sed -n w/etc/cockpit/ws-certs.d/50-from-certmonger.cert ${CERT_FILE} ${KEY_FILE}"
By default Cockpit will only use modern secure ciphers and versions of TLS. In particular SSL v3.0 is disabled by default, as well as the RC4 cipher.
If you wish to enable these legacy protocols and algorithms you can do so
by passing an environment variable to cockpit-ws. Place the following in the
/etc/systemd/system/cockpit.service.d/ssl.conf file. Create the
file and directories in that path which don't already exist.
[Service] Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:%COMPAT
The environment variable value is a GnuTLS priority string.