Project

General

Profile

Actions

Idea #18338

open

"arvados-server init" can use a local root CA to sign certificates

Added by Tom Clegg almost 3 years ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
Start date:
Due date:
Story points:
-
Release:
Release relationship:
Auto

Description

When running "arvados-server init" the operator should have the option1 to generate a root CA, use it to sign TLS certificates for all Arvados web services that use TLS, and make the root CA certificate available so users can configure their browsers / command line tools to trust it.

arvados-server init may provide the option, but arvados-server boot should implement the certificate handling. It will be common for users to migrate to/from Let's Encrypt or some other trusted CA, and this will be done by updating config.yml, not by running init again.

Currently "arvados-server boot" uses a local root CA to sign certificates, but the root CA does not persist after a restart, and there is no documented/easy way for users to get the root certificate.

1 This should be the default behavior if no other certificate strategy is selected/available.


Related issues

Related to Arvados Epics - Idea #18337: Easy install via OS packageIn ProgressActions
Actions #1

Updated by Tom Clegg almost 3 years ago

  • Related to Idea #18337: Easy install via OS package added
Actions #2

Updated by Peter Amstutz over 1 year ago

  • Release set to 60
Actions #3

Updated by Peter Amstutz 7 months ago

  • Target version set to Future
Actions

Also available in: Atom PDF