2 Copyright (C) The Arvados Authors. All rights reserved.
4 SPDX-License-Identifier: CC-BY-SA-3.0
7 h2(#ca_root_certificate). Install the CA root certificate (SSL_MODE=self-signed only)
9 *If you are not using self-signed certificates (you selected SSL_MODE=lets-encrypt or SSL_MODE=bring-your-own), skip this section.*
11 Arvados uses SSL to encrypt communications. The web interface uses AJAX which will silently fail if the certificate is not valid or signed by an unknown Certification Authority.
13 For this reason, the @arvados-formula@ has a helper state to create a root certificate to authorize Arvados services. The @provision.sh@ script will leave a copy of the generated CA's certificate (@arvados-snakeoil-ca.pem@) in the script's directory so you can add it to your workstation.
17 Installing the root certificate into your web browser will prevent security errors when accessing Arvados services with your web browser.
21 # Go to "Settings → Privacy and Security → Security → Manage Certificates" or enter @chrome://settings/certificates@ in the URL bar.
22 # *Click on the "Authorities" tab* (it is not selected by default)
23 # Click on the "Import" button
24 # Choose @arvados-snakeoil-ca.pem@
25 # Tick the checkbox next to "Trust this certificate for identifying websites"
27 # The certificate should appear in the list of Authorities under "Arvados"
31 # Go to "Preferences → Privacy & Security" or enter @about:preferences#privacy@ in the URL bar
32 # Scroll down to the *Certificates* section
33 # Click on the button "View Certificates...".
34 # Make sure the "Authorities" tab is selected
35 # Press the "Import..." button.
36 # Choose @arvados-snakeoil-ca.pem@
37 # Tick the checkbox next to "Trust this CA to identify websites"
39 # The certificate should appear in the list of Authorities under "Arvados"
41 h4. Other browsers (Safari, etc)
43 The process will be similar to that of Chrome and Firefox, but the exact user interface will be different. If you can't figure it out, try searching for "how do I install a custom certificate authority in <my browser>".
45 h3. Installation on Linux OS certificate storage
47 To access your Arvados instance using command line clients (such as @arv-get@ and @arv-put@) without security errors, install the certificate into the OS certificate storage.
51 *Important* the certificate file added to @ca-certificates@ must have the extension @.crt@ or it won't be recognized.
54 <pre><code>cp arvados-snakeoil-ca.pem /usr/local/share/ca-certificates/arvados-snakeoil-ca.crt
55 /usr/sbin/update-ca-certificates
62 <pre><code>cp arvados-snakeoil-ca.pem /etc/pki/ca-trust/source/anchors/
63 /usr/bin/update-ca-trust