-
Notifications
You must be signed in to change notification settings - Fork 14
TLS Certificates for RHEL Web Console
Will Kibbe edited this page Aug 29, 2023
·
5 revisions
To obtain and configure a properly-signed TLS certificate for the RHEL web console on RHEL 9, add the following to the setup-rhel script:
# set up SSL for certificate signing
#check web console url for certificate
echo https://${HOSTNAME}.${_SANDBOX_ID}.instruqt.io:9090
#also go ahead and echo it to a text file as well just for good measure
echo https://${HOSTNAME}.${_SANDBOX_ID}.instruqt.io:9090 >> ~/webconsoleurl.txt
# Enable EPEL for RHEL 9
subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
#install necessary components
dnf install -y certbot python3-certbot-nginx
#ensure certbot is successfully installed
certbot --version
#stop the process that is using TCP port 80; we need that port open for certbot
fuser -k 80/tcp
#request our certificate
certbot certonly --standalone --preferred-challenges http -d ${HOSTNAME}.${INSTRUQT_PARTICIPANT_ID}.instruqt.io --non-interactive --agree-tos -m [email protected] -v
#configure our certificate for the web console (copy it into the cockpit certificate folder)
cat /etc/letsencrypt/live/${HOSTNAME}.${INSTRUQT_PARTICIPANT_ID}.instruqt.io/cert.pem >> /etc/cockpit/ws-certs.d/certificate.cert
cat /etc/letsencrypt/live/${HOSTNAME}.${INSTRUQT_PARTICIPANT_ID}.instruqt.io/privkey.pem >> /etc/cockpit/ws-certs.d/certificate.cert
#remove the old self-signed certificates
rm /etc/cockpit/ws-certs.d/0*
#restart cockpit to apply the changs
systemctl restart cockpitWithout signed TLS certificates, users receive security warnings from their browser when connecting to the RHEL Web Console. This hurts product experience and makes the lab experience less consistent. Signing the TLS certificates helps lab users and makes labs better.