{% comment %} Copyright (C) The Arvados Authors. All rights reserved. SPDX-License-Identifier: CC-BY-SA-3.0 {% endcomment %} You will need certificates for each DNS name and DNS wildcard previously listed in the "DNS hostnames for each service":#DNS . To simplify certificate management, we recommend creating a single certificate for all of the hostnames, or creating a wildcard certificate that covers all possible hostnames (with the following patterns in subjectAltName):
xarv1.example.com *.xarv1.example.com *.collections.xarv1.example.com(Replacing xarv1 with your own ${CLUSTER}.${DOMAIN}) Copy your certificates to the directory specified with the variable @CUSTOM_CERTS_DIR@ in the remote directory where you copied the @provision.sh@ script. The provision script will find the certificates there. The script expects cert/key files with these basenames (matching the role except for keepweb, which is split in both download / collections): # @controller@ # @websocket@ -- note: corresponds to default domain @ws.${CLUSTER}.${DOMAIN}@ # @keepproxy@ -- note: corresponds to default domain @keep.${CLUSTER}.${DOMAIN}@ # @download@ -- Part of keepweb # @collections@ -- Part of keepweb, must be a wildcard for @*.collections.${CLUSTER}.${DOMAIN}@ # @workbench@ # @workbench2@ # @webshell@ For example, for the @keepproxy@ service the script will expect to find this certificate:
${CUSTOM_CERTS_DIR}/keepproxy.crt
${CUSTOM_CERTS_DIR}/keepproxy.key
ln -s xarv1.crt ${CUSTOM_CERTS_DIR}/controller.crt
ln -s xarv1.key ${CUSTOM_CERTS_DIR}/controller.key
ln -s xarv1.crt ${CUSTOM_CERTS_DIR}/keepproxy.crt
ln -s xarv1.key ${CUSTOM_CERTS_DIR}/keepproxy.key
...