Project

General

Profile

Actions
Copy link

Idea #18338

open

"arvados-server init" can use a local root CA to sign certificates

Added by Tom Clegg about 3 years ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
Future
Start date:
Due date:
Story points:
-
Release:
Postponed
Release relationship:
Auto

Description

When running "arvados-server init" the operator should have the option1 to generate a root CA, use it to sign TLS certificates for all Arvados web services that use TLS, and make the root CA certificate available so users can configure their browsers / command line tools to trust it.

arvados-server init may provide the option, but arvados-server boot should implement the certificate handling. It will be common for users to migrate to/from Let's Encrypt or some other trusted CA, and this will be done by updating config.yml, not by running init again.

Currently "arvados-server boot" uses a local root CA to sign certificates, but the root CA does not persist after a restart, and there is no documented/easy way for users to get the root certificate.

1 This should be the default behavior if no other certificate strategy is selected/available.

Related issues

Related to Arvados Epics - Idea #18337: Easy entry into Arvados ecosystemNew01/01/202506/30/2025Actions
Actions
Copy link
 #1

Updated by Tom Clegg about 3 years ago

  • Related to Idea #18337: Easy entry into Arvados ecosystem added
Actions
Copy link
 #2

Updated by Peter Amstutz almost 2 years ago

  • Release set to 60
Actions
Copy link
 #3

Updated by Peter Amstutz 9 months ago

  • Target version set to Future
Actions
Copy link

Also available in: Atom PDF