This guide is for development only. Do not use self-signed certificates in production.

The following section describes the deployment and configuration of Eclipse Che for use in TLS mode with self-signed certificates. It consists of following steps:

  1. Generate needed keys and certificates if needed

  2. Prepare target deployment environment (one of the following):

  3. Configure the browser

Deploying Che with self-signed TLS certificates on OpenShift 4 using Operator

This section describes how to deploy Che with self-signed TLS certificates on OpenShift Container Platform 4. To do that:

  1. Generate an OpenShift certificate.

  2. Use it when deploying Che.

  3. Import it into a browser.

Prerequisites
Procedure
  1. Log in to the default OpenShift project:

    $ oc login -u kubeadmin -p <password>
  2. Get the OpenShift 4 self-signed certificate:

    $ oc get secret router-ca -n openshift-ingress-operator -o jsonpath="{.data.tls\.crt}" | \
      base64 -d > ca.crt
  3. Pre-create a namespace for Che:

    $ oc create namespace che
  4. Create a secret from the CA certificate:

    $ oc create secret generic self-signed-certificate --from-file=ca.crt -n=che
  5. Deploy Che using chectl:

    $ chectl server:start --platform=crc --installer=operator --self-signed-cert

Deploying Che with self signed TLS certificates on Kubernetes

This section describes how to deploy Che with self-signed TLS certificates on the Kubernetes platform.

Prerequisites
Procedure
  1. Pre-create a namespace for Che:

    $ kubectl create namespace che
  2. Create a secret with the domain key and the certificate:

    $ kubectl create secret tls che-tls --key=domain.key --cert=domain.crt -n che
  3. Create a secret from the CA certificate:

    $ kubectl create secret generic self-signed-certificate --from-file=ca.crt -n che
  4. Deploy Che using chectl:

    $ chectl server:start --platform=minikube --installer=operator --self-signed-cert

Deploying Che with self-signed TLS certificates on OpenShift 3 using Operator

This section describes how to deploy Che with self-signed TLS certificates on the OpenShift 3 platform.

Prerequisites
Procedure
  1. Log in to the default OpenShift project:

    $ oc login -u system:admin --insecure-skip-tls-verify=true
    $ oc project default
  2. Re-configure the router with the generated certificate:

    $ oc delete secret router-certs
    $ cat domain.crt domain.key > minishift.crt
    $ oc create secret tls router-certs --key=domain.key --cert=minishift.crt
    $ oc rollout latest router
  3. Pre-create a namespace for Che:

    $ oc create namespace che
  4. Create a secret from the CA certificate:

    $ oc create secret generic self-signed-certificate --from-file=ca.crt -n=che
  5. Deploy Che using chectl. Eclipse Che is installed with TLS mode by default:

    $ chectl server:start --platform=minishift --installer=operator --self-signed-cert

Generating self-signed TLS certificates

This section describes how to prepare self-signed TLS certificates to use with Che on different platforms.

Prerequisites
  • The expected domain name where Che deployment is planned:

    Table 1. Expected (default) domain names
    Platform Default domain

    Minishift

    $( minishift ip ).nip.io

    Minikube

    $( minikube ip ).nip.io

    CodeReady Containers

    apps-crc.testing

  • The location of the openssl.cnf file on the target machine:

    Table 2. Usual OpenSSL configuration file locations
    Linux distribution File location

    Fedora, Red Hat Enterprise Linux, CentOS

    /etc/pki/tls/openssl.cnf

    Debian, Ubuntu, Mint, Arch Linux

    /etc/ssl/openssl.cnf

Procedure
  1. Set the necessary environment variables:

    $ CA_CN="Local Eclipse Che Signer"
    $ DOMAIN=*.<expected.domain.com>
    $ OPENSSL_CNF=<path_to_openssl.cnf>
    Example with Minikube on Fedora 31
    $ CA_CN="Local Eclipse Che Signer"
    $ DOMAIN=\*.$( minikube ip ).nip.io
    $ OPENSSL_CNF=/etc/pki/tls/openssl.cnf
    Example with crc on OSX
    $ export CA_CN="Local Eclipse Che Signer"
    $ export DOMAIN=*.apps-crc.testing
    $ export OPENSSL_CNF=/System/Library/OpenSSL/openssl.cnf
  2. Generate the root CA key. Add the -des3 parameter to use a passphrase:

    $ openssl genrsa -out ca.key 4096
  3. Generate the root CA certificate:

    $ openssl req -x509 \
      -new -nodes \
      -key ca.key \
      -sha256 \
      -days 1024 \
      -out ca.crt \
      -subj /CN="${CA_CN}" \
      -reqexts SAN \
      -extensions SAN \
      -config <(cat ${OPENSSL_CNF} \
          <(printf '[SAN]\nbasicConstraints=critical, CA:TRUE\nkeyUsage=keyCertSign, cRLSign, digitalSignature'))
  4. Generate the domain key:

    $ openssl genrsa -out domain.key 2048
  5. Generate the certificate signing request for the domain:

    $ openssl req -new -sha256 \
        -key domain.key \
        -subj "/O=Local {prod}/CN=${DOMAIN}" \
        -reqexts SAN \
        -config <(cat ${OPENSSL_CNF} \
            <(printf "\n[SAN]\nsubjectAltName=DNS:${DOMAIN}\nbasicConstraints=critical, CA:FALSE\nkeyUsage=digitalSignature, keyEncipherment, keyAgreement, dataEncipherment\nextendedKeyUsage=serverAuth")) \
        -out domain.csr
  6. Generate the domain certificate:

    $ openssl x509 \
        -req \
        -sha256 \
        -extfile <(printf "subjectAltName=DNS:${DOMAIN}\nbasicConstraints=critical, CA:FALSE\nkeyUsage=digitalSignature, keyEncipherment, keyAgreement, dataEncipherment\nextendedKeyUsage=serverAuth") \
        -days 365 \
        -in domain.csr \
        -CA ca.crt \
        -CAkey ca.key \
        -CAcreateserial -out domain.crt

This procedure allows to use domain.crt and domain.key for TLS Route and Ingress, and ca.crt for importing into browsers.

Using Che with TLS

This section describes how to import a root certificate authority into the browser to use Che with self-signed TLS certificates.

Google Chrome

  1. Go to chrome://settings/certificates, the Authorities tab, click Import, and find the generated rootCA.crt (or ca.crt for OpenShift 4) file.

    che tls chrome import 1
  2. Select Trust this certificate for identifying websites and click OK.

    che tls chrome import 2
  3. Browser is satisfied with Che certificate and is reporting a secure connection.

    che tls chrome import 3

Firefox

  1. Go to about:preferences, search for certificates, and click View Certificates.

    che tls firefox import 1
  2. Go to the Authorities tab, click Import, and find the generated rootCA.crt (or ca.crt for OpenShift 4) file.

    che tls firefox import 2
  3. Select Trust this CA to identify websites and click OK.

    che tls firefox import 3
  4. Browser is satisfied with Che certificate and is reporting a secure connection.

    che tls firefox import 4

macOS

  1. Open Keychain Access.

  2. Select the System keychain and drag & drop the rootCA.crt (or ca.crt for OpenShift 4) file there.

  3. Double-click the imported CA, go to Trust, and select When using this certificate: Always Trust.

  4. If the browser still reports an invalid certificate, restart the browser.

Tags: