Project

General

Profile

Actions

Story #18338

open

"arvados-server init" can use a local root CA to sign certificates

Added by Tom Clegg about 3 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
-
Release:
Release relationship:
Auto

Description

When running "arvados-server init" the operator should have the option1 to generate a root CA, use it to sign TLS certificates for all Arvados web services that use TLS, and make the root CA certificate available so users can configure their browsers / command line tools to trust it.

arvados-server init may provide the option, but arvados-server boot should implement the certificate handling. It will be common for users to migrate to/from Let's Encrypt or some other trusted CA, and this will be done by updating config.yml, not by running init again.

Currently "arvados-server boot" uses a local root CA to sign certificates, but the root CA does not persist after a restart, and there is no documented/easy way for users to get the root certificate.

1 This should be the default behavior if no other certificate strategy is selected/available.


Related issues 1 (1 open0 closed)

Related to Arvados Epics - Story #18337: Easy install via OS packageIn Progress12/01/202203/31/2023

Actions
Actions #1

Updated by Tom Clegg about 3 years ago

  • Related to Story #18337: Easy install via OS package added
Actions #2

Updated by Lucas Di Pentima almost 2 years ago

  • Release set to 60
Actions

Also available in: Atom PDF