On Tue, Oct 9, 2018 at 4:56 AM Stef Walter <[email protected]> wrote: > > On 09/10/2018 08:47, Paul Cuzner wrote: > > Excellent. > > > > Will this also work with self-signed, or would you simply specify > > validate false? > > The latter. The following for self-signed: > > { "tls": { "validate": false } } > > In particular self-signed certificates do not have anything appropriate > to put under "authority" in order to make them validate. >
Tangentially related: I'd recommend using a signed certificate rather than a self-signed one, even in testing environments. You'd be surprised how often people get into the habit of doing "validate: false" everywhere and then get into trouble. I wrote a handy little tool a while ago (packaged on Fedora and EPEL) called sscg (the Simple Signed Certificate Generator) that will create a safe certificate for the same use-cases as self-signed, except that it contains a certificate authority you can import in your clients that will validate only this service. See https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ for details on how it works and http://github.com/sgallagher/sscg for the source. _______________________________________________ cockpit-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
