Cockpit: SSL/TLS certificate update is not complete (no problem with Nethgui)

giacomo · November 28, 2019, 3:08pm

I could agree, but I for sure expect many support request like “I’ve configured Let’s Encrypt but I still see the old certificate on cockpit”.
We had plenty of such requests on the NethGUI when the reload async fails.

Probably I prefer the current behavior but less support requests.
Maybe @nrauso or @filippo_carletti have different opinions.

davidep · December 4, 2019, 11:53am

Meanwhile I filed the bug report:

My solution proposal is

remove the restart of cockpit-ws, to avoid the session cut off
display a warning, trying to explain that to prevent disconnection the new certificate is applied to cockpit itself 90 seconds after all sessions are closed.

flatspin · December 4, 2019, 2:18pm

I confirm that this is a bug. When I change the certificate with NethGUI the problem dircribed here Nethserver-Reports (Nethesis-Dante) page fails with original NS-Cerificates is gone. When I change the cert with cockpit, the problem exists.

Neustradamus · December 6, 2019, 5:12am

Thanks for the progress on it.

davidep · December 6, 2019, 5:36pm

This is the proposal for the UI message, stating - hey don’t expect the certificate is applied immediately here

The same Notice is displayed on every modal dialog that changes the current certificate.

Can you see how to improve it?

pike · December 6, 2019, 8:36pm

Is good for you have a button for forcing disconnection?

Neustradamus · December 6, 2019, 8:51pm

It is for all certificate generations? Not only Let’s Encrypt?

Self-signed certificate

mrmarkuz · December 6, 2019, 9:14pm

Yes, it fixes cert updates and that includes self signed ones.

davidep · December 10, 2019, 12:02pm

This is a good idea, but I don’t know if it worth the effort.

For all, The fix is now in testing: could you check it out?

giacomo · December 11, 2019, 11:07am

Verified!