Link to zeebe-ssl-certificate flag in the Deploy your first diagram guide

[MaxTru]

What to do?

Link to zeebe-ssl-certificate flag from the deploy your first diagram guide

Why to do it?

Users in self-managed setups might fail to deploy diagrams from desktop modeler because they have not configured ssl certificate. Probably they would try to find out how to deploy reading this guide.

I think a brief link to the ssl certificate flag in this guide would be helpful to overcome this.

[MaxTru]

WDYT @barmac ?

[barmac]

I think this makes sense.

[barmac]

I can imagine this as a note on top:

In case you want to deploy to Camunda Platform 8 Self-Managed with a custom SSL certificate, there is a flag which allows to configure it.

[MaxTru]

Do you know, if this is the default case now for customers that have self-managed with Identity set-up? Or will our self-managed installation with Identity "just work"?

[barmac]

I don't know, I haven't tried Identity setup yet. There is however an issue on deployment problems for this: camunda/camunda-modeler#3152

[MaxTru]

I think we should try this typical end-2-end use-case first. This will allow us to better organize our Docs.

[rob2universe]

camunda/camunda-modeler#3152 also occurs without ssl

[akeller]

This should be covered in the SM guide - https://docs.camunda.io/docs/next/self-managed/modeler/desktop-modeler/deploy-to-self-managed/

[nikku]

@akeller Something along these lines? #2052

[akeller]

Do you know if we need to mention self-signed certs specifically, or would this apply to any cert? Self-signed certs can make enterprise IT team nervous.

IMO the proposed PR meets the needs and scope of this issue and would close it out.

[nikku]

Self-signed certs can make enterprise IT team nervous.

What exactly makes who nervous? Most enterprise IT will have some sort of self-signed root in their chain from which all sorts of trust is inherited. We're seeing this from many customers, across the board: Self-signed root + intermediate + server certificates derived from that.

[nikku]

Potential improvement: 5819885.

[akeller]

In my experience, getting a cert from a trusted CA is strongly preferred. Self-signed can imply the connection is insecure. Even internally at Camunda, IT asks us not to use self-signed certs. This may be new or due to an update in security scanning tools. This is why I'm asking, just to clarify.

I like your improvement! Gets us away from language that potential customers may focus on as supporting an "insecure" path.

[nikku]

Will update the PR (backport changes where necessary). Let's improve this bit and close this issue.