From 772f301b6be17d0e53d19ac23d21441609743354 Mon Sep 17 00:00:00 2001
From: Michael Schurter <schmichael@hashicorp.com>
Date: Tue, 18 Apr 2017 09:04:06 -0700
Subject: [PATCH] Mention required cli config when using tls

Fixes #2571
---
 website/source/docs/agent/encryption.html.md | 21 ++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/website/source/docs/agent/encryption.html.md b/website/source/docs/agent/encryption.html.md
index 46b1ce6b2..99068eba7 100644
--- a/website/source/docs/agent/encryption.html.md
+++ b/website/source/docs/agent/encryption.html.md
@@ -51,6 +51,27 @@ TLS is used to secure the RPC calls between agents, but gossip between nodes is
 done over UDP and is secured using a symmetric key. See above for enabling
 gossip encryption.
 
+### Configuring the command line tool
+
+If you have HTTPS enabled for your Nomad agent, you must export environment
+variables for the command line tool to also use HTTPS:
+
+```sh
+# NOMAD_ADDR defaults to http://, so set it to https
+# Alternatively you can use the -address flag
+export NOMAD_ADDR=https://127.0.0.1:4646
+
+# Set the location of your CA certificate
+# Alternatively you can use the -ca-cert flag
+export NOMAD_CACERT=/path/to/ca.pem
+```
+
+Run any command except `agent` with `-h` to see all environment variables and
+flags. For example: `nomad status -h`
+
+Since HTTPS currently does not validate client certificates you do not need to
+give the command line tool access to any private keys.
+
 ## Encryption Examples
 
 ### TLS Configuration using `cfssl`