diff --git a/src/main/_config.yml b/src/main/_config.yml index 9c21839f1a..e343f0b419 100644 --- a/src/main/_config.yml +++ b/src/main/_config.yml @@ -54,7 +54,7 @@ asciidoc_attributes: &asciidoc_attributes prod-cli: chectl orch-cli: kubectl prod-checluster: eclipse-che - prod-namespace: default + prod-namespace: che prod-url: http(s)://che-host:che-port prod-url-secure: http(s)://che-che prod-host: che-host diff --git a/src/main/pages/che-7/installation-guide/assembly_installing-che-in-tls-mode-with-self-signed-certificates.adoc b/src/main/pages/che-7/installation-guide/assembly_installing-che-in-tls-mode-with-self-signed-certificates.adoc index ad513753ae..906bba94c4 100644 --- a/src/main/pages/che-7/installation-guide/assembly_installing-che-in-tls-mode-with-self-signed-certificates.adoc +++ b/src/main/pages/che-7/installation-guide/assembly_installing-che-in-tls-mode-with-self-signed-certificates.adoc @@ -16,30 +16,27 @@ summary: :context: installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates -WARNING: This guide is for development only. Do not use self-signed certificates in production. +The following section describes the deployment and configuration of {prod-short} with self-signed certificates. Self-signed certificates are certificates that are not signed by a commonly trusted certificate authority (CA), but instead signed by a locally created CA. Self-signed certificates are not trusted by default. For example, when a website owner uses a self-signed certificate to provide HTTPS services, users who visit that website see a warning in their browser. -The following section describes the deployment and configuration of {prod} for use in TLS mode with self-signed certificates. It consists of following steps: +WARNING: Self-signed certificates are usually used in development and evaluation environments. Use in production environments is not recommended. -. link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#generating-self-signed-certificates_installing-che-in-tls-mode-with-self-signed-certificates[Generate needed keys and certificates if needed] +ifeval::["{project-context}" == "che"] +{prod-short} can be deployed on: -. Prepare target deployment environment (one of the following): -+ -* link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#deploying-{prod-id-short}-with-self-signed-tls-on-kubernetes_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[Minikube] (Kubernetes) + * Kubernetes-family infrastructures + * OpenShift-family infrastructures +endif::[] -* link:{site-baseurl}che-7/installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates/#deploying-{prod-id-short}-with-self-signed-tls-on-openshift3-using-operator_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[Minishift] (OpenShift 3) +include::proc_generating-self-signed-tls-certificates.adoc[leveloffset=+1] -* link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#deploying-{prod-id-short}-with-self-signed-tls-on-openshift4-using-operator_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[CodeReady Containers] (OpenShift 4) +ifeval::["{project-context}" == "che"] +include::proc_deploying-che-with-self-signed-tls-certificates-on-kubernetes.adoc[leveloffset=+1] +endif::[] -. link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#using-{prod-id-short}-with-tls_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[Configure the browser] +include::proc_deploying-che-with-self-signed-tls-certificates-on-openhift-4.adoc[leveloffset=+1] -include::proc_deploying-che-with-self-signed-tls-on-openhift4-using-operator.adoc[leveloffset=+1] +include::proc_deploying-che-with-self-signed-tls-certificates-on-openhift-3.adoc[leveloffset=+1] -include::proc_deploying-che-with-self-signed-tls-on-kubernetes.adoc[leveloffset=+1] - -include::proc_deploying-che-with-self-signed-tls-on-openhift3-using-operator.adoc[leveloffset=+1] - -include::proc_generating-self-signed-certificates.adoc[leveloffset=+1] - -include::proc_using-che-with-tls.adoc[leveloffset=+1] +include::proc_importing-self-signed-tls-certificates-to-browsers.adoc[leveloffset=+1] :context: {parent-context-of-installing-che-in-tls-mode-with-self-signed-certificates} diff --git a/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-certificates-on-kubernetes.adoc b/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-certificates-on-kubernetes.adoc new file mode 100644 index 0000000000..0e1f3c8a01 --- /dev/null +++ b/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-certificates-on-kubernetes.adoc @@ -0,0 +1,64 @@ +// Module included in the following assemblies: +// +// installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates + +[id="deploying-{prod-id-short}-with-self-signed-tls-certificates-on-kubernetes_{context}"] += Deploying {prod-short} with self-signed TLS certificates on Kubernetes + +This section describes how to deploy {prod-short} on Kubernetes (including Minikube) with self-signed TLS certificates. + +By default, {prod-short} is deployed on Kubernetes infratructures with a self-signed certificate that is generated automatically during the {prod-short} installation process. There are no additional prerequisites for the deployment. + +To deploy {prod-short} with a self-signed certificate generated by the user, create a namespace for {prod-short} before the deployment and two secrets in it: + +* The TLS secret: `che-tls`, which holds the server TLS certificate and key (using the `tls.crt` and `tls.key` files). This secret is signed by the self-signed CA certificate. `che-tls` is the default name of the {prod-short} server TLS secret. This can be changed in the configuration. + +* The public part of the self-signed CA certificate: `self-signed-certificate`, an opaque secret (based on the `ca.crt` key). + +To deploy {prod-short} with a commonly trusted TLS certificate, it is required to create a single `che-tls` secret in the corresponding namespace. + +WARNING: When intending to use a commonly trusted TLS certificate for the {prod-short} deployment, do not create the `self-signed-certificate` secret. {prod-short} detects that data from the `che-tls` secret does not match and replaces both secrets with autogenerated data. + + +.Prerequisites + +* A running Kubernetes instance, version 1.9 or higher. +* All required keys and certificates. See xref:generating-self-signed-tls-certificates_{context}[]. + + +.Procedure + +. Pre-create a namespace for {prod-short}: ++ +[subs="+quotes,attributes"] +---- +$ kubectl create namespace {prod-namespace} +---- + +. Create a secret with the domain key and the certificate: ++ +[subs="+quotes,attributes"] +---- +$ kubectl create secret tls che-tls --key=domain.key --cert=domain.crt -n {prod-namespace} +---- + +. Create a secret from the CA certificate: ++ +[subs="+quotes,attributes"] +---- +$ kubectl create secret generic self-signed-certificate --from-file=ca.crt -n {prod-namespace} +---- + +. Deploy {prod-short} using `{prod-cli}`: ++ +[subs="+quotes,attributes"] +---- +$ {prod-cli} server:start --platform=k8s +---- ++ +When using Minikube, substitute `k8s` in the above command with `minikube`. + + +.Additional resources + +* xref:importing-self-signed-tls-certificates-to-browsers_{context}[] diff --git a/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-certificates-on-openhift-3.adoc b/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-certificates-on-openhift-3.adoc new file mode 100644 index 0000000000..1f610ced68 --- /dev/null +++ b/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-certificates-on-openhift-3.adoc @@ -0,0 +1,66 @@ +// Module included in the following assemblies: +// +// installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates + +[id="deploying-{prod-id-short}-with-self-signed-tls-certificates-on-openshift-3_{context}"] += Deploying {prod-short} with self-signed TLS certificates on OpenShift 3 + +This section describes how to deploy {prod-short} with self-signed TLS certificates generated by the user on the OpenShift 3 platform. + +NOTE: This method involves reconfiguration of OpenShift router to use user-provided TLS certificates. + + +.Prerequisites + +* A running OpenShift 3 instance, version 3.11 or higher. +* All required keys and certificates. See xref:generating-self-signed-tls-certificates_{context}[]. + + +.Procedure + +. Log in to the default OpenShift project: ++ +---- +$ oc login -u system:admin --insecure-skip-tls-verify=true +$ oc project default +---- + +. Reconfigure the router with the generated certificate: ++ +[subs="+quotes,+attributes"] +---- +$ oc delete secret router-certs +$ cat domain.crt domain.key > openshift.crt +$ oc create secret tls router-certs --key=domain.key --cert=openshift.crt +$ oc rollout latest router +---- + +. Create a namespace for {prod-short}: ++ +[subs="+quotes,+attributes"] +---- +$ oc create namespace {prod-namespace} +---- + +. Create a secret from the CA certificate: ++ +[subs="+quotes,+attributes"] +---- +$ oc create secret generic self-signed-certificate --from-file=ca.crt -n={prod-namespace} +---- + +. Deploy {prod-short} using `{prod-cli}`. {prod} is installed with TLS mode by default: ++ +[subs="+quotes,+attributes"] +---- +$ {prod-cli} server:start --platform=openshift --installer=operator +---- +ifeval::["{project-context}" == "che"] ++ +When using Minishift, substitute `openshift` in the above command with `minishift`. +endif::[] + + +.Additional resources + +* xref:importing-self-signed-tls-certificates-to-browsers_{context}[] diff --git a/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-certificates-on-openhift-4.adoc b/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-certificates-on-openhift-4.adoc new file mode 100644 index 0000000000..f85cc2111a --- /dev/null +++ b/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-certificates-on-openhift-4.adoc @@ -0,0 +1,62 @@ +// Module included in the following assemblies: +// +// installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates + +[id="deploying-{prod-id-short}-with-self-signed-tls-certificates-on-openshift-4_{context}"] += Deploying {prod-short} with self-signed TLS certificates on OpenShift 4 + +This section describes how to deploy {prod-short} with self-signed TLS certificates on a local OpenShift 4 cluster. + +{prod-short} uses a default router certificate to secure its endpoints. Therefore, it depends on the OpenShift cluster configuration whether a self-signed certificate is used or not. {prod-short} automatically detects if the OpenShift default router uses a self-signed certificate by analyzing its certificate chain. + + +.Prerequisites + +* A running OpenShift 4 instance, version 4.2 or higher. +* All required keys and certificates. See xref:generating-self-signed-tls-certificates_{context}[]. + + +.Procedure + +. Log in to the default OpenShift project: ++ +[subs="+quotes"] +---- +$ oc login -u _ -p __ +---- + +. Get the OpenShift 4 self-signed certificate: ++ +[subs="+quotes"] +---- +$ oc get secret router-ca -n openshift-ingress-operator -o jsonpath="{.data.tls\.crt}" | \ + base64 -d > ca.crt +---- + +. Pre-create a namespace for {prod-short}: ++ +[subs="+quotes"] +---- +$ oc create namespace {prod-namespace} +---- + +. Create a secret from the CA certificate: ++ +[subs="+quotes"] +---- +$ oc create secret generic self-signed-certificate --from-file=ca.crt -n={prod-namespace} +---- + +. Deploy {prod-short} using `{prod-cli}`: ++ +[subs="+quotes,+attributes"] +---- +$ {prod-cli} server:start --platform=openshift --installer=operator +---- ++ +When using CodeReady Containers, substitute `openshift` in the above command with `crc`. + + +.Additional resources + +* xref:importing-self-signed-tls-certificates-to-browsers_{context}[] diff --git a/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-on-kubernetes.adoc b/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-on-kubernetes.adoc deleted file mode 100644 index 6a6c329b1d..0000000000 --- a/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-on-kubernetes.adoc +++ /dev/null @@ -1,45 +0,0 @@ -// Module included in the following assemblies: -// -// setup-{prod-id-short}-in-tls-mode - -[id="deploying-{prod-id-short}-with-self-signed-tls-on-kubernetes_{context}"] -= Deploying {prod-short} with self signed TLS certificates on Kubernetes - -This section describes how to deploy {prod-short} with self-signed TLS certificates on the Kubernetes platform. - - -.Prerequisites - -* A running Kubernetes instance, version 1.9 or higher -* link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#generating-self-signed-certificates_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[Have all required keys and certificates generated] - - -.Procedure - -. Pre-create a namespace for {prod-short}: -+ -[subs="+quotes"] ----- -$ kubectl create namespace che ----- - -. Create a secret with the domain key and the certificate: -+ -[subs="+quotes"] ----- -$ kubectl create secret tls che-tls --key=domain.key --cert=domain.crt -n che ----- - -. Create a secret from the CA certificate: -+ -[subs="+quotes"] ----- -$ kubectl create secret generic self-signed-certificate --from-file=ca.crt -n che ----- - -. Deploy {prod-short} using `{prod-cli}`: -+ -[subs="+quotes,+attributes"] ----- -$ {prod-cli} server:start --platform=minikube --installer=operator --self-signed-cert ----- diff --git a/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-on-openhift3-using-operator.adoc b/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-on-openhift3-using-operator.adoc deleted file mode 100644 index 995e3175c1..0000000000 --- a/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-on-openhift3-using-operator.adoc +++ /dev/null @@ -1,55 +0,0 @@ -// Module included in the following assemblies: -// -// setup-{prod-id-short}-in-tls-mode - -[id="deploying-{prod-id-short}-with-self-signed-tls-on-openshift3-using-operator_{context}"] -= Deploying {prod-short} with self-signed TLS certificates on OpenShift 3 using Operator - -This section describes how to deploy {prod-short} with self-signed TLS certificates on the OpenShift 3 platform. - - -.Prerequisites - -* A running OpenShift instance, version 3.11 or higher -* link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#generating-self-signed-certificates_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[Have all required keys and certificates generated] - -.Procedure - -. Log in to the default OpenShift project: -+ -[subs="+quotes"] ----- -$ oc login -u system:admin --insecure-skip-tls-verify=true -$ oc project default ----- - -. Re-configure the router with the generated certificate: -+ -[subs="+quotes,+attributes"] ----- -$ oc delete secret router-certs -$ cat domain.crt domain.key > minishift.crt -$ oc create secret tls router-certs --key=domain.key --cert=minishift.crt -$ oc rollout latest router ----- - -. Pre-create a namespace for {prod-short}: -+ -[subs="+quotes,+attributes"] ----- -$ oc create namespace che ----- - -. Create a secret from the CA certificate: -+ -[subs="+quotes,+attributes"] ----- -$ oc create secret generic self-signed-certificate --from-file=ca.crt -n=che ----- - -. Deploy {prod-short} using `{prod-cli}`. {prod} is installed with TLS mode by default: -+ -[subs="+quotes,+attributes"] ----- -$ {prod-cli} server:start --platform=minishift --installer=operator --self-signed-cert ----- diff --git a/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-on-openhift4-using-operator.adoc b/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-on-openhift4-using-operator.adoc deleted file mode 100644 index d5390960aa..0000000000 --- a/src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-on-openhift4-using-operator.adoc +++ /dev/null @@ -1,56 +0,0 @@ -// Module included in the following assemblies: -// -// setup-{prod-id-short}-in-tls-mode - -[id="deploying-{prod-id-short}-with-self-signed-tls-on-openshift4-using-operator_{context}"] -= Deploying {prod-short} with self-signed TLS certificates on OpenShift 4 using Operator - -This section describes how to deploy {prod-short} with self-signed TLS certificates on OpenShift Container Platform 4. To do that: - -. Generate an OpenShift certificate. -. Use it when deploying {prod-short}. -. Import it into a browser. - - -.Prerequisites - -* A running OpenShift instance, version 4 or higher -* link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#generating-self-signed-certificates_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[Have all required keys and certificates generated] - -.Procedure - -. Log in to the default OpenShift project: -+ -[subs="+quotes"] ----- -$ oc login -u kubeadmin -p __ ----- - -. Get the OpenShift 4 self-signed certificate: -+ -[subs="+quotes"] ----- -$ oc get secret router-ca -n openshift-ingress-operator -o jsonpath="{.data.tls\.crt}" | \ - base64 -d > ca.crt ----- - -. Pre-create a namespace for {prod-short}: -+ -[subs="+quotes"] ----- -$ oc create namespace che ----- - -. Create a secret from the CA certificate: -+ -[subs="+quotes"] ----- -$ oc create secret generic self-signed-certificate --from-file=ca.crt -n=che ----- - -. Deploy {prod-short} using `{prod-cli}`: -+ -[subs="+quotes,+attributes"] ----- -$ {prod-cli} server:start --platform=crc --installer=operator --self-signed-cert ----- diff --git a/src/main/pages/che-7/installation-guide/proc_generating-self-signed-certificates.adoc b/src/main/pages/che-7/installation-guide/proc_generating-self-signed-tls-certificates.adoc similarity index 74% rename from src/main/pages/che-7/installation-guide/proc_generating-self-signed-certificates.adoc rename to src/main/pages/che-7/installation-guide/proc_generating-self-signed-tls-certificates.adoc index dcd37109e2..00204318ee 100644 --- a/src/main/pages/che-7/installation-guide/proc_generating-self-signed-certificates.adoc +++ b/src/main/pages/che-7/installation-guide/proc_generating-self-signed-tls-certificates.adoc @@ -1,8 +1,8 @@ // Module included in the following assemblies: // -// setup-{prod-id-short}-in-tls-mode +// installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates -[id="generating-self-signed-certificates_{context}"] +[id="generating-self-signed-tls-certificates_{context}"] = Generating self-signed TLS certificates This section describes how to prepare self-signed TLS certificates to use with {prod-short} on different platforms. @@ -10,18 +10,20 @@ This section describes how to prepare self-signed TLS certificates to use with { .Prerequisites -* The expected domain name where {prod-short} deployment is planned: +* The expected domain name where the {prod-short} deployment is planned. +ifeval::["{project-context}" == "che"] + .Expected (default) domain names [options="header"] |=== | Platform | Default domain -| Minishift | `$( minishift ip ).nip.io` -| Minikube | `$( minikube ip ).nip.io` +| Minishift | `$(minishift ip).nip.io` +| Minikube | `$(minikube ip).nip.io` | CodeReady Containers | `apps-crc.testing` |=== +endif::[] -* The location of the `openssl.cnf` file on the target machine: +* The location of the `openssl.cnf` file on the target machine. + .Usual OpenSSL configuration file locations [options="header"] @@ -35,30 +37,32 @@ This section describes how to prepare self-signed TLS certificates to use with { . Set the necessary environment variables: + -[subs="+attributes,+quotes"] +[subs="+attributes,quotes"] ---- $ CA_CN="Local {prod} Signer" $ DOMAIN=*.____ $ OPENSSL_CNF=____ ---- +ifeval::["{project-context}" == "che"] + -.Example with Minikube on Fedora 31 -[subs="+attributes,+quotes"] +.Example with Minikube on Fedora +[subs="+attributes,quotes"] ---- $ CA_CN="Local {prod} Signer" $ DOMAIN=\*.$( minikube ip ).nip.io $ OPENSSL_CNF=/etc/pki/tls/openssl.cnf ---- + -.Example with crc on OSX +.Example with CodeReady Containers on macOS [subs="+attributes,quotes"] ---- $ export CA_CN="Local {prod} Signer" $ export DOMAIN=*.apps-crc.testing $ export OPENSSL_CNF=/System/Library/OpenSSL/openssl.cnf ---- +endif::[] -. Generate the root CA key. Add the `-des3` parameter to use a passphrase: +. Generate the root Certificate Authority (CA) key. Add the `-des3` parameter to use a passphrase: + [subs="+quotes"] ---- @@ -91,7 +95,7 @@ $ openssl genrsa -out domain.key 2048 . Generate the certificate signing request for the domain: + -[subs="+quotes"] +[subs="+attributes,quotes"] ---- $ openssl req -new -sha256 \ -key domain.key \ @@ -117,5 +121,8 @@ $ openssl x509 \ -CAcreateserial -out domain.crt ---- -This procedure allows to use `domain.crt` and `domain.key` for TLS Route and Ingress, and link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#using-che-with-tls_{context}[`ca.crt` for importing into browsers]. +This procedure allows to use `domain.crt` and `domain.key` for TLS Route and Ingress, and `ca.crt` for importing into browsers. + +.Additional resources +* xref:importing-self-signed-tls-certificates-to-browsers_{context}[] diff --git a/src/main/pages/che-7/installation-guide/proc_importing-self-signed-tls-certificates-to-browsers.adoc b/src/main/pages/che-7/installation-guide/proc_importing-self-signed-tls-certificates-to-browsers.adoc new file mode 100644 index 0000000000..1be28ceb92 --- /dev/null +++ b/src/main/pages/che-7/installation-guide/proc_importing-self-signed-tls-certificates-to-browsers.adoc @@ -0,0 +1,98 @@ +// Module included in the following assemblies: +// +// installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates + +[id="importing-self-signed-tls-certificates-to-browsers_{context}"] += Importing self-signed TLS certificates to browsers + +This section describes how to import a root certificate authority into a web browser to use {prod-short} with self-signed TLS certificates. + +When a TLS certificate is not trusted, the error message *Authorization token is missing. Click here to reload page* blocks the login process. To prevent this, add the public part of the self-signed CA certificate into the browser after installing {prod-short}. + + +== Getting the self-signed CA certificate from {prod-short} deployment + +When `{prod-cli}` is used to deploy {prod-short}, it exports a self-signed CA certificate into a `cheCA.crt` file to the current user home directory. To get the certificate, use one of the following two methods: + +* Exporty the certificate using the {prod-cli} command: ++ +[subs="+quotes,attributes"] +---- +$ {prod-cli} cacert:export +---- + +* Read the `self-signed-certificate` secret from the {prod-short} namespace: ++ +[subs="+quotes,attributes"] +---- +$ oc get secret self-signed-certificate -n {prod-namespace} +---- +ifeval::["{project-context}" == "che"] ++ +When using Kubernetes, substitute `oc` in the above command with `kubectl`. +endif::[] + + +== Adding certificates to Google Chrome on Linux or Windows + +.Procedure + +. Navigate to URL where {prod-short} is deployed. +. Save the certificate: +.. Click the lock icon on the left of the address bar. +.. Click *Certificates* and navigate to the *Details* tab. +.. Select the certificate to use and export it: ++ +* On Linux, click the btn:[Export] button. +* On Windows, click the btn:[Save to file] button. + +. Go to link:chrome://settings/certificates[Google Chrome Settings], then to the *Authorities* tab +. In the left panel, select *Advanced* and continue to *Privacy and security*. +. At the center of the screen, click *Manage certificates* and navigate to *Authorities* tab. +. Click the btn:[Import] button and open the saved certificate file. +. Select *Trust this certificate for identifying websites* and click the btn:[OK] button. +. After adding the {prod-short} certificate to the browser, the address bar displays the closed lock icon next to the URL, indicating a secure connection. + + +== Adding certificates to Google Chrome on macOS + +.Procedure + +. Navigate to URL where {prod-short} is deployed. +. Save the certificate: +.. Click the lock icon on the left of the address bar. +.. Click *Certificates*. +.. Select the certificate to use and drag and drop its displayed large icon to the desktop. +. Double-click the exported certificate to import it into Google Chrome. + + +== Adding certificates to Keychain Access for use with Safari on macOS + +.Procedure + +. Navigate to URL where {prod-short} is deployed. +. Save the certificate: +.. Click the lock icon on the right of the window title bar. +.. Select the certificate to use and drag and drop its displayed large icon to the desktop. +. Open the *Keychain Access* application. +. Select the *System* keychain and drag and drop the saved certificate file to it. +. Double-click the imported CA, then go to *Trust* and select *When using this certificate*: *Always Trust*. +. Restart Safari for the added certificated to take effect. + + +== Adding certificates to Firefox + +.Procedure + +. Navigate to URL where {prod-short} is deployed. +. Save the certificate: +.. Click the lock icon on the left of the address bar. +.. Click the btn:[>] button next to the *Connection not secure* warning. +.. Click the btn:[More information] button. +.. Click the btn:[View Certificate] button on the *Security* tab. +.. Click the *PEM (cert)* link and save the certificate. +. Navigate to link:about:preferences[about:preferences], search for `certificates`, and click *View Certificates*. +. Go to the *Authorities* tab, click the btn:[Import] button, and open the saved certificate file. +. Check *Trust this CA to identify websites* and click btn:[OK]. +. Restart Firefox for the added certificated to take effect. +. After adding the {prod-short} certificate to the browser, the address bar displays the closed lock icon next to the URL, indicating a secure connection. diff --git a/src/main/pages/che-7/installation-guide/proc_using-che-with-tls.adoc b/src/main/pages/che-7/installation-guide/proc_using-che-with-tls.adoc deleted file mode 100644 index 329e381d01..0000000000 --- a/src/main/pages/che-7/installation-guide/proc_using-che-with-tls.adoc +++ /dev/null @@ -1,100 +0,0 @@ -// Module included in the following assemblies: -// -// setup-{prod-id-short}-in-tls-mode - -[id="using-{prod-id-short}-with-tls_{context}"] -= Using {prod-short} with TLS - -Self-signed certificates are certificates that are not signed by a certificate authority (CA). Self-signed certificates do not provide all of the security properties that certificates signed by a CA aim to provide. For example, when a website owner uses a self-signed certificate to provide HTTPS services, users who visit that website will see a warning in their browser. - -After installing {prod-short} on {ocp} with TLS support and a self-signed certificate, a user has to add a self-signed TLS certificate to the browser for each route exposed in {prod-short}. If they do not, the error message: *Authorization token is missing. Click here to reload page* will block the login process. - -This section describes how to import a root certificate authority into the browser to use {prod-short} with self-signed TLS certificates. - -== Adding Self-signed Certificates to Google Chrome on Linux or Windows OS - -.Procedure - -. On the left side of the Chrome browser URL address bar panel, click the `lock` icon, which represents the SSL/TLS status. -+ -This will indicate information about your current connection. - -. Click *Certificates* and navigate to the *Details* tab. - -. Select the certificate you want to use and export it: -+ -* On a Linux OS, click btn:[Export]. -* On a Windows-based OS, click btn:[Save to file] - -. On the right side of the browser, click the *Customize and control Google Chrome* drop-down menu and navigate to *Settings*. - -. In the left panel, select *Advanced* and continue to *Privacy and security*. - -. At the center of the screen, click *Manage certificates* and navigate to *Authorities* tab. - -. Add your certificate in the profile using the btn:[Import] button. - - -== Adding Self-signed Certificates to Google Chrome on Mac OS - -.Procedure - -. On the left side of the Chrome browser URL address bar panel, click the `lock` icon, which represents the SSL/TLS status. -+ -This will indicate information about your current connection. - -. Click *Certificates*. - -. Select the certificate you want to use and then drag and drop its displayed larger icon to the desktop. -+ -image::contributor/macOS-adding-certificate.png[] - -. Double click the exported certificate to import it into Google Chrome. - -[discrete] -== Examples - -.Google Chrome -. Go to link:chrome://settings/certificates[Google Chrome Settings], then to the *Authorities* tab -. Click *Import* and find the generated `rootCA.crt` or `ca.crt` file. -+ -image::contributor/che-tls-chrome-import_1.png[link="{imagesdir}/contributor/che-tls-chrome-import_1.png"] - -. Select *Trust this certificate for identifying websites* and click btn:[OK]. -+ -image::contributor/che-tls-chrome-import_2.png[link="{imagesdir}/contributor/che-tls-chrome-import_2.png"] - -. After adding the {prod-short} certificate to the browser, the address bar displays the `lock` icon next to the URL, indicating a secure connection. -+ -ifeval::["{project-context}" == "che"] -image::contributor/che-tls-chrome-import_3.png[link="{imagesdir}/contributor/che-tls-chrome-import_3.png"] -endif::[] - -.Firefox -. Go to `about:preferences`, search for `certificates`, and click *View Certificates*. -+ -image::contributor/che-tls-firefox-import_1.png[link="{imagesdir}/contributor/che-tls-firefox-import_1.png"] - -. Go to the *Authorities* tab, click *Import*, and find the generated `rootCA.crt` or `ca.crt` file. -+ -image::contributor/che-tls-firefox-import_2.png[link="{imagesdir}/contributor/che-tls-firefox-import_2.png"] - -. Select *Trust this CA to identify websites* and click btn:[OK]. -+ -image::contributor/che-tls-firefox-import_3.png[link="{imagesdir}/contributor/che-tls-firefox-import_3.png"] - -. After adding the {prod-short} certificate to the browser, the address bar displays the `lock` icon next to the URL, indicating a secure connection. -+ -ifeval::["{project-context}" == "che"] -image::contributor/che-tls-firefox-import_4.png[link="{imagesdir}/contributor/che-tls-firefox-import_4.png"] -endif::[] - -.macOS Keychain - -. Open *Keychain Access*. - -. Select the *System* keychain and drag & drop the generated `rootCA.crt` or `ca.crt` file. - -. Double-click the imported CA, then go to *Trust*, and select *When using this certificate*: *Always Trust*. - -. Restart the browser for the added certificated to take effect. diff --git a/src/main/pages/che-7/overview/proc_installing-che-on-kubespray-using-chectl.adoc b/src/main/pages/che-7/overview/proc_installing-che-on-kubespray-using-chectl.adoc index 22db21eb05..8db2a1631c 100644 --- a/src/main/pages/che-7/overview/proc_installing-che-on-kubespray-using-chectl.adoc +++ b/src/main/pages/che-7/overview/proc_installing-che-on-kubespray-using-chectl.adoc @@ -34,7 +34,6 @@ It corresponds to the `EXTERNAL-IP` of the `ingress-nginx-controller` service. U + [subs="+attributes,quotes"] ---- -$ {prod-cli} server:start --platform k8s --domain __.nip.io --self-signed-cert +$ {prod-cli} server:start --platform k8s --domain __.nip.io ---- -+ -NOTE: Unless providing a certificate, use the `--self-signed-cert` flag. + diff --git a/src/main/pages/che-7/overview/proc_installing-che-on-openshift-3-using-the-operator-and-ssl.adoc b/src/main/pages/che-7/overview/proc_installing-che-on-openshift-3-using-the-operator-and-ssl.adoc index d2ac834c9e..d0850217d6 100644 --- a/src/main/pages/che-7/overview/proc_installing-che-on-openshift-3-using-the-operator-and-ssl.adoc +++ b/src/main/pages/che-7/overview/proc_installing-che-on-openshift-3-using-the-operator-and-ssl.adoc @@ -27,7 +27,6 @@ $ {prod-cli} server:start -n __ --domain= \ + [NOTE] ==== -* To create the {prod-short} instance on demo OpenShift clusters that have not been setup with a valid certificate for the routes, run the command with the `--self-signed-cert` flag. * To install {prod-short} with the default values, omit the `--che-operator-cr-patch-yaml=configuration.yaml` option. ==== diff --git a/src/main/pages/che-7/overview/ref_che-deployment-options-using-chectl.adoc b/src/main/pages/che-7/overview/ref_che-deployment-options-using-chectl.adoc index d1e81c9117..911c57595f 100644 --- a/src/main/pages/che-7/overview/ref_che-deployment-options-using-chectl.adoc +++ b/src/main/pages/che-7/overview/ref_che-deployment-options-using-chectl.adoc @@ -34,5 +34,4 @@ OPTIONS --listr-renderer=default|silent|verbose [default: default] Listr renderer --os-oauth Enable use of OpenShift credentials to log into {prod-short} --plugin-registry-url=plug-in-registry-url The URL of the external plug-in registry. - --self-signed-cert Authorize usage of self signed certificates for encryption. Note that `self-signed-certificate` secret with CA certificate must be created in the configured namespace. ----