169b170835
Cert auth generation echo fixed |
||
---|---|---|
.. | ||
ca-csr.json | ||
ca-key.pem | ||
ca.csr | ||
ca.pem | ||
cfssl-user.json | ||
cfssl.json | ||
client-key.pem | ||
client.csr | ||
client.pem | ||
csr.json | ||
dev-key.pem | ||
dev.csr | ||
dev.pem | ||
GNUmakefile | ||
README.md | ||
server-key.pem | ||
server.csr | ||
server.pem | ||
tls-client.hcl | ||
tls-dev.hcl | ||
tls-server.hcl | ||
user-key.pem | ||
user.csr | ||
user.pem | ||
user.pfx |
Demo TLS Configuration
Do NOT use in production. For testing purposes only.
See Securing Nomad for a full guide.
This directory contains sample TLS certificates and configuration to ease testing of TLS related features. There is a makefile to generate certificates, and pre-generated are available for use.
Files
Generated? | File | Description |
---|---|---|
◻️ | GNUmakefile |
Makefile to generate certificates |
◻️ | tls-*.hcl |
Nomad TLS configurations |
◻️ | cfssl*.json |
cfssl configuration files |
◻️ | csr*.json |
cfssl certificate generation configurations |
☑️ | ca*.pem |
Certificate Authority certificate and key |
☑️ | client*.pem |
Nomad client node certificate and key |
☑️ | dev*.pem |
Nomad certificate and key for dev agents |
☑️ | server*.pem |
Nomad server certificate and key |
☑️ | user*.pem |
Nomad user (CLI) certificate and key |
☑️ | user.pfx |
Nomad browser PKCS #12 certificate and key (blank password) |
Usage
Agent
To run a TLS-enabled Nomad agent include the tls.hcl
configuration file with
either the -dev
flag or your own configuration file. If you're not running
the nomad agent
command from this directory you will have to edit the paths
in tls.hcl
.
# Run the dev agent with TLS enabled
nomad agent -dev -config=tls-dev.hcl
# Run a *server* agent with your configuration and TLS enabled
nomad agent -config=path/to/custom.hcl -config=tls-server.hcl
# Run a *client* agent with your configuration and TLS enabled
nomad agent -config=path/to/custom.hcl -config=tls-client.hcl
Browser
To access the Nomad Web UI when TLS is enabled you will need to import two certificate files into your browser:
ca.pem
must be imported as a Certificate Authorityuser.pfx
must be imported as a Client certificate. The password is blank.
When you access the UI via https://localhost:4646/ you will be prompted to select the user certificate you imported.