SSL/TLS Usage

HTTPS Requirement
Certificates
SSL Versions and Ciphers

Cockpit usually requires that web browsers communicate with it using HTTPS, for security reasons.

HTTPS Requirement

Cockpit listens for both HTTP and HTTPS connections on the same port, by default 9090. If an HTTP connection is made, Cockpit will redirect that connection to HTTPS. There are some exceptions:

  • If an HTTP connection comes from 127.0.0.0/8, then Cockpit will allow communication without redirecting to HTTPS.

  • Certain URLs, like /ping are not required to use HTTPS.

This behavior can be overridden by setting the AllowUnencrypted option in cockpit.conf.

Certificates

Cockpit will load a certificate from the /etc/cockpit/ws-certs.d directory. It will use the last file with a .cert or .crt extension in alphabetical order. The file should contain one or more OpenSSL style BEGIN CERTIFICATE blocks for the server certificate and the intermediate certificate authorities.

The private key can either be contained in the same .cert/.crt file as an additional BEGIN PRIVATE KEY or similar block, or in a separate file with the same name as the certificate, but with a .key suffix instead. The key must not be encrypted. For example, a merged file looks like this:

-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIJAPXW+CuNYS6QMA0GCSqGSIb3DQEBCwUAMD8xKTAnBgNV
BAoMIGI0OGE2NGNkNmMwNTQ1YThhZTgxOTEzZDE5YmJjMmRjMRIwEAYDVQQDDAls
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIJAPXW+CuNYS6QMA0GCSqGSIb3DQEBCwUAMD8xKTAnBgNV
BAoMIGI0OGE2NGNkNmMwNTQ1YThhZTgxOTEzZDE5YmJjMmRjMRIwEAYDVQQDDAls
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyOJ5garOYw0sm
8TBCDSqQ/H1awGMzDYdB11xuHHsxYS2VepPMzMzryHR137I4dGFLhvdTvJUH8lUS
...
-----END PRIVATE KEY-----

Note that for EC keys, the BEGIN EC PARAMETERS block must occur before the BEGIN EC PRIVATE KEY block (this is how OpenSSL, LetsEncrypt, etc. generate the key files).

If no certificate is found, a self-signed certificate is created and stored in the 0-self-signed.cert file. On some platforms, Cockpit will also generate a ca.crt in that directory, which may be safely imported into client browsers.

To check which certificate cockpit-ws will use run the following command.

$ sudo remotectl certificate

If using certmonger to manage certificates, following command can be used to automatically prepare concatenated .cert file:

CERT_FILE=/etc/pki/tls/certs/$(hostname).pem
KEY_FILE=/etc/pki/tls/private/$(hostname).key

getcert request -f ${CERT_FILE} -k ${KEY_FILE} -D $(hostname --fqdn) -C "sed -n w/etc/cockpit/ws-certs.d/50-from-certmonger.cert ${CERT_FILE} ${KEY_FILE}"
    

SSL Versions and Ciphers

By default Cockpit will only use modern secure ciphers and versions of TLS. In particular SSL v3.0 is disabled by default, as well as the RC4 cipher.

If you wish to enable these legacy protocols and algorithms you can do so by passing an environment variable to cockpit-ws. Place the following in the /etc/systemd/system/cockpit.service.d/ssl.conf file. Create the file and directories in that path which don't already exist.

[Service]
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:%COMPAT

The environment variable value is a GnuTLS priority string.