Google Git
Sign in
eclipse / www.eclipse.org / che / a71aec8bcf84d4cc1317f8237067c4b6b11d262b / . / docs / next / administration-guide / importing-untrusted-tls-certificates / index.html
blob: b6633fbc9bc22afec1a4f526a6b13419108b0316 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>Importing untrusted TLS certificates to Che :: Eclipse Che Documentation</title>
<meta name="description" content="Importing untrusted TLS certificates to Che">
<meta name="keywords" content="administration guide, tls, certificate">
<meta name="generator" content="Antora 3.0.2">
<link rel="stylesheet" href="../../../../docs/_/css/site.css">
<link rel="stylesheet" href="../../../../docs/_/css/extra.css">
<link rel="stylesheet" href="../../../../docs/_/font-awesome-4.7.0/css/font-awesome.min.css">
<link rel="icon" href="../../../../docs/_/img/favicon.ico" type="image/x-icon">
<meta name="robots" content="noindex">
<script>var uiRootPath = '../../../../docs/_'</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-37306001-2"></script>
<script>function gtag(){dataLayer.push(arguments)};window.dataLayer=window.dataLayer||[];gtag('js',new Date());gtag('config','UA-37306001-2')</script>
<script>var uiRootPath = '../../../../docs/_'</script>
</head>
<body class="article">
<header class="header">
<nav class="navbar">
<div class="navbar-brand">
<div class="navbar-item">
<button class="navbar-burger" data-target="topbar-nav">
<span></span>
<span></span>
<span></span>
</button>
<img src="../../../../docs/_/img/icon-eclipse-che.svg" class="navbar-logo" alt="Eclipse Che logo">
<a href="https://www.eclipse.org/che/docs/index.html">Eclipse Che Documentation</a>
</div>
</div>
<div id="topbar-nav" class="navbar-menu">
<div class="navbar-end">
<div class="navbar-item search hide-for-print">
<div id="search-field" class="field">
<input id="search-input" type="text" placeholder="Search the docs">
</div>
</div>
<a class="navbar-item" href="https://www.eclipse.org/che/">Home</a>
<a class="navbar-item" href="https://che.eclipseprojects.io/">Blog</a>
<a class="navbar-item" href="https://github.com/eclipse/che">Source Code</a>
</div>
</div>
</nav>
</header>
<div class="body">
<div class="nav-container" data-component="docs" data-version="next">
<aside class="nav">
<div class="panels">
<div class="nav-panel-menu is-active" data-panel="menu">
<nav class="nav-menu">
<h3 class="title"><a href="../../overview/introduction-to-eclipse-che/">Documentation</a></h3>
<ul class="nav-list">
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../overview/introduction-to-eclipse-che/">Introduction to Che</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../hosted-che/hosted-che/">Eclipse Che hosted by Red Hat</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../hosted-che/try-in-web-ide-github-action/">Try in Web IDE GitHub action</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<button class="nav-item-toggle"></button>
<span class="nav-text">User Guide</span>
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/adopting-che/">Adopting Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/developer-workspaces/">Developer workspaces</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/first-time-contributors/">Badge for first-time contributors</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/benefits-of-pull-requests-review-in-che/">Reviewing pull and merge requests</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/supported-languages/">Supported languages</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/user-onboarding/">User onboarding</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/starting-a-new-workspace-with-a-clone-of-a-git-repository/">Starting a new workspace with a clone of a Git repository</a>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/optional-parameters-for-the-urls-for-starting-a-new-workspace/">Optional parameters for the URLs for starting a new workspace</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../end-user-guide/url-parameter-concatenation/">URL parameter concatenation</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../end-user-guide/url-parameter-for-the-workspace-ide/">URL parameter for the workspace IDE</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../end-user-guide/url-parameter-for-starting-duplicate-workspaces/">URL parameter for starting duplicate workspaces</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../end-user-guide/url-parameter-for-the-devfile-file-name/">URL parameter for the devfile file name</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../end-user-guide/url-parameter-for-the-devfile-file-path/">URL parameter for the devfile file path</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/basic-actions-you-can-perform-on-a-workspace/">Basic actions you can perform on a workspace</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/authenticating-to-a-git-server-from-a-workspace/">Authenticating to a Git server from a workspace</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../end-user-guide/customizing-workspace-components/">Customizing workspace components</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/selecting-a-workspace-ide/">Selecting a workspace IDE</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/selecting-an-ide-by-using-a-url-parameter/">Selecting an in-browser IDE for a new workspace by using a URL parameter</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/specifying-an-in-browser-ide-for-a-git-repository-by-using-che-editor.yaml/">Specifying an in-browser IDE for a Git repository by using <code>che-editor.yaml</code></a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/using-credentials-and-configurations-in-workspaces/">Using credentials and configurations in workspaces</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-git-credentials/">Using Git credentials</a>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/enabling-artifact-repositories-in-a-restricted-environment/">Enabling artifact repositories in a restricted environment</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../end-user-guide/enabling-maven-artifact-repositories/">Maven</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../end-user-guide/enabling-gradle-artifact-repositories/">Gradle</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../end-user-guide/enabling-npm-artifact-repositories/">npm</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../end-user-guide/enabling-python-artifact-repositories/">Python</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../end-user-guide/enabling-go-artifact-repositories/">Go</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../end-user-guide/enabling-nuget-artifact-repositories/">NuGet</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/creating-image-pull-secrets/">Creating image pull Secrets</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/mounting-secrets/">Mounting Secrets</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/mounting-configmaps/">Mounting ConfigMaps</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../end-user-guide/requesting-persistent-storage-for-workspaces/">Requesting persistent storage for workspaces</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/integrating-with-kubernetes/">Integrating with Kubernetes</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/automatic-token-injection/">Automatic Kubernetes token injection</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/navigating-che-from-openshift-developer-perspective/">Navigating Che from OpenShift Developer Perspective</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/navigating-openshift-web-console-from-che/">Navigating OpenShift web console from Che</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/troubleshooting-che/">Troubleshooting Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/viewing-che-workspaces-logs/">Viewing Che workspaces logs</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/investigating-failures-at-a-workspace-start-using-the-verbose-mode/">Troubleshooting workspace start failures</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/troubleshooting-slow-workspaces/">Troubleshooting slow workspaces</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/troubleshooting-network-problems/">Troubleshooting network problems</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../end-user-guide/adding-a-vscode-extension/">Adding a Visual Studio Code extension to a workspace</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<button class="nav-item-toggle"></button>
<span class="nav-text">Administration Guide</span>
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../preparing-the-installation/">Preparing the installation</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../supported-platforms/">Supported platforms</a>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../architecture-overview/">Architecture</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../server-components/">Server components</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../che-operator/">Che operator</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../devworkspace-operator/">Dev Workspace operator</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../gateway/">Gateway</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../dashboard/">User dashboard</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../devfile-registries/">Devfile registries</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../che-server/">Che server</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../postgresql/">PostgreSQL</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../plug-in-registry/">Plug-in registry</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../user-workspaces/">User workspaces</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../calculating-che-resource-requirements/">Calculating Che resource requirements</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../installing-che/">Installing Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../installing-the-chectl-management-tool/">Installing the chectl management tool</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../installing-che-on-openshift-using-cli/">Installing Che on OpenShift using CLI</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../installing-che-on-openshift-using-the-web-console/">Installing Che on OpenShift using the web console</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../installing-che-in-a-restricted-environment/">Installing Che in a restricted environment</a>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../installing-che-locally/">Installing Che locally</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../installing-che-on-red-hat-openshift-local/">Installing Che on Red Hat OpenShift Local</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../installing-che-on-minikube/">Installing Che on Minikube</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../configuring-che/">Configuring Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../understanding-the-checluster-custom-resource/">Understanding the <code>CheCluster</code> Custom Resource</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../using-chectl-to-configure-the-checluster-custom-resource-during-installation/">Using chectl to configure the <code>CheCluster</code> Custom Resource during installation</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../using-the-cli-to-configure-the-checluster-custom-resource/">Using the CLI to configure the CheCluster Custom Resource</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../checluster-custom-resource-fields-reference/"><code>CheCluster</code> Custom Resource fields reference</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../configuring-namespace-provisioning/">Configuring namespaces</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../configuring-workspace-target-namespace/">Configuring namespace name</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../provisioning-namespaces-in-advance/">Provisioning namespaces in advance</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../configuring-server-components/">Configuring server components</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../mounting-a-secret-as-a-file-or-an-environment-variable-into-a-container/">Mounting a Secret or a ConfigMap as a file or an environment variable into a Eclipse&#160;Che container</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../advanced-configuration-options-for-the-che-server-component/">Advanced configuration options for Che server</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../configuring-workspaces-globally/">Configuring workspaces globally</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../configuring-the-number-of-workspaces-that-a-user-can-create/">Configuring the number of workspaces that a user can create</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../deploying-che-with-support-for-git-repositories-with-self-signed-certificates/">Git with self-signed certificates</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../configuring-workspaces-nodeselector/">Configuring workspaces nodeSelector</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../caching-images-for-faster-workspace-start/">Caching images for faster workspace start</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../defining-the-list-of-images-to-pull/">Defining the list of images</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../defining-the-memory-parameters-for-the-image-puller/">Defining the memory settings</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../installing-image-puller-on-openshift-using-the-web-console/">Installing Image Puller on OpenShift using the web console</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../installing-image-puller-on-openshift-using-cli/">Installing Image Puller on OpenShift using CLI</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../configuring-observability/">Configuring observability</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../che-theia-workspaces/">Che-Theia workspaces</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../the-woopra-telemetry-plugin/">The Woopra telemetry plug-in</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../creating-a-telemetry-plugin/">Creating a telemetry plug-in</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../configuring-server-logging/">Configuring server logging</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../collecting-logs-using-chectl/">Collecting logs using chectl</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../monitoring-with-prometheus-and-grafana/">Monitoring with Prometheus and Grafana</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../installing-prometheus-and-grafana/">Installing Prometheus and Grafana</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../monitoring-the-dev-workspace-operator/">Monitoring the Dev Workspace Operator</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../monitoring-che/">Monitoring Che Server</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../configuring-networking/">Configuring networking</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../configuring-che-hostname/">Configuring Che hostname</a>
</li>
<li class="nav-item is-current-page" data-depth="3">
<a class="nav-link" href="./">Importing untrusted TLS certificates to Che</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../configuring-ingresses/">Configuring Kubernetes Ingress</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../configuring-routes/">Configuring OpenShift Route</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../configuring-storage/">Configuring storage</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../installing-che-using-storage-classes/">Installing Che using storage classes</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../branding/">Branding</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../branding-che-theia/">Branding Che-Theia</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../managing-identities-and-authorizations/">Managing identities and authorizations</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../oauth-for-github-gitlab-or-bitbucket/">OAuth for GitHub, GitLab, or Bitbucket</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configuring-oauth-2-for-github/">Configuring OAuth 2.0 for GitHub</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configuring-oauth-2-for-gitlab/">Configuring OAuth 2.0 for GitLab</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configuring-oauth-1-for-bitbucket/">Configuring OAuth 1.0 for Bitbucket</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../configuring-the-administrative-user/">Configuring the administrative user</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../removing-user-data/">Removing user data</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../managing-workloads-using-the-che-server-api/">Using the Che server API</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../upgrading-che/">Upgrading Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../upgrading-the-chectl-management-tool/">Upgrading the chectl management tool</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../upgrading-che-7-41-on-openshift/">Upgrading Che 7.41 on Red Hat OpenShift</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../specifying-the-update-approval-strategy/">Specifying the update approval strategy</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../upgrading-che-using-the-web-console/">Upgrading Che using the OpenShift web console</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../upgrading-che-using-the-cli-management-tool/">Upgrading Che using the CLI management tool</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../upgrading-che-using-the-cli-management-tool-in-restricted-environment/">Upgrading Che in a restricted environment</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../uninstalling-che/">Uninstalling Che</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../extensions/extensions/">Extensions</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../extensions/openshift-connector-overview/">OpenShift Connector</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../extensions/features-of-openshift-connector/">Features of OpenShift Connector</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../extensions/installing-openshift-connector-in-che/">Installing OpenShift Connector in Eclipse Che</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../extensions/authenticating-with-openshift-connector-from-che/">Authenticating with OpenShift Connector from Eclipse Che</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../extensions/creating-components-with-openshift-connector-in-che/">Creating Components with OpenShift Connector in Eclipse Che</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../extensions/connecting-source-code-from-github-to-a-openshift-component-using-openshift-connector/">Connecting source code from GitHub to a OpenShift Component</a>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../glossary/che-glossary/">Che glossary</a>
</li>
</ul>
</li>
</ul>
</nav>
</div>
<div class="nav-panel-explore" data-panel="explore">
<div class="context">
<span class="title">Documentation</span>
<span class="version">next</span>
</div>
<ul class="components">
<li class="component is-current">
<a class="title" href="../../../stable/overview/introduction-to-eclipse-che/">Documentation</a>
<ul class="versions">
<li class="version is-current">
<a href="../../overview/introduction-to-eclipse-che/">next</a>
</li>
<li class="version">
<a href="../../../che-7/overview/introduction-to-eclipse-che/">old (7.41)</a>
</li>
<li class="version is-latest">
<a href="../../../stable/overview/introduction-to-eclipse-che/">stable</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</aside>
</div>
<main class="article">
<div class="toolbar" role="navigation">
<button class="nav-toggle"></button>
<a href="../../../stable/overview/introduction-to-eclipse-che/" class="home-link"></a>
<nav class="breadcrumbs" aria-label="breadcrumbs">
<ul>
<li><a href="../../overview/introduction-to-eclipse-che/">Documentation</a></li>
<li>Administration Guide</li>
<li><a href="../configuring-che/">Configuring Che</a></li>
<li><a href="../configuring-networking/">Configuring networking</a></li>
<li><a href="./">Importing untrusted TLS certificates to Che</a></li>
</ul>
</nav>
<div class="page-versions">
<button class="version-menu-toggle" title="Show other versions of page">next</button>
<div class="version-menu">
<a class="version is-current" href="./">next</a>
<a class="version" href="../../../che-7/installation-guide/importing-untrusted-tls-certificates/">old (7.41)</a>
<a class="version is-missing" href="../../../stable/overview/introduction-to-eclipse-che/">stable</a>
</div>
</div>
<div class="edit-this-page"><a href="https://github.com/eclipse/che-docs/edit/main/modules/administration-guide/pages/importing-untrusted-tls-certificates.adoc">Edit this Page</a></div>
</div>
<div class="content">
<aside class="toc sidebar" data-title="Contents" data-levels="2">
<div class="toc-menu"></div>
</aside>
<article class="doc">
<h1 class="page">Importing untrusted TLS certificates to Che</h1>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>By default, external communications between Che components are encrypted with TLS. Communications of Che components with external services such as proxies, source code repositories, and identity provider might also require TLS. All communications encrypted with TLS require the use of TLS certificates signed by trusted Certificate Authorities (CA).</p>
</div>
<div class="paragraph">
<p>When the certificates used by Che components or by an external service are signed by an untrusted CA, you must import the CA certificate into the Che instance so that every Che component treats the certificates as signed by a trusted CA. You have to do this in the following cases:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>The underlying Kubernetes cluster uses TLS certificates signed by an untrusted CA.
Che server or workspace components connect to external OIDC providers or a Git server that use TLS certificates signed by an untrusted CA.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Che uses labeled ConfigMaps in namespace as sources for TLS certificates. The ConfigMaps can have an arbitrary number of keys with a random number of certificates each.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>When an OpenShift cluster contains cluster-wide trusted CA certificates added through the <a href="https://docs.openshift.com/container-platform/4.10/networking/configuring-a-custom-pki.html#nw-proxy-configure-object_configuring-a-custom-pki">cluster-wide-proxy configuration</a>, Che Operator detects them and automatically injects them into a ConfigMap. Che automatically labels the ConfigMap with the <code>config.openshift.io/inject-trusted-cabundle="true"</code> label. Based on this annotation, OpenShift automatically injects the cluster-wide trusted CA certificates inside the <code>ca-bundle.crt</code> key of ConfigMap.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="admonitionblock important">
<table>
<tr>
<td class="icon">
<i class="fa icon-important" title="Important"></i>
</td>
<td class="content">
<div class="paragraph">
<p>Some Che components require a full certificate chain to trust the endpoint.
If the cluster is configured with an intermediate certificate, add the whole chain, including self-signed root, to Che.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_adding_new_ca_certificates_into_che"><a class="anchor" href="#_adding_new_ca_certificates_into_che"></a>Adding new CA certificates into Che</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Certificate files are typically stored as Base64 files, with extensions such as <code>.pem</code>, <code>.crt</code>, <code>.ca-bundle</code>, and others. All Secrets that hold certificate files should use the Base64-encoded certificate rather than binary-encoded certificate. The following procedure is applicable for already installed and running instances and for instances that are to be installed.</p>
</div>
<div class="ulist">
<div class="title">Prerequisites</div>
<ul>
<li>
<p>An active <code>kubectl</code> session with administrative permissions to the destination Kubernetes cluster. See <a href="https://kubernetes.io/docs/reference/kubectl/overview/">Overview of kubectl</a>.</p>
</li>
<li>
<p>Namespace for Che exists.</p>
</li>
<li>
<p>Che already uses some reserved file names to automatically inject certificates into the ConfigMap, so avoid using the following reserved file names to save your certificates:</p>
<div class="ulist">
<ul>
<li>
<p><code>ca-bundle.crt</code></p>
</li>
<li>
<p><code>ca.crt</code></p>
</li>
</ul>
</div>
</li>
</ul>
</div>
<div class="olist arabic">
<div class="title">Procedure</div>
<ol class="arabic">
<li>
<p>Save the certificates you need to import to a local file system.</p>
<div class="admonitionblock caution">
<table>
<tr>
<td class="icon">
<i class="fa icon-caution" title="Caution"></i>
</td>
<td class="content">
<div class="ulist">
<ul>
<li>
<p>A certificate with the introductory phrase <code>BEGIN TRUSTED CERTIFICATE</code> is likely in the PEM <code>TRUSTED CERTIFICATE</code> format, which is not supported by Java. Convert it to the supported <code>CERTIFICATE</code> format with the following command:</p>
<div class="ulist">
<ul>
<li>
<p><code>openssl x509 -in cert.pem -out cert.cer</code></p>
</li>
</ul>
</div>
</li>
</ul>
</div>
</td>
</tr>
</table>
</div>
</li>
<li>
<p>Create a new ConfigMap with the required TLS certificates:</p>
<div class="listingblock">
<div class="content">
<pre>$ kubectl create configmap custom-certs --from-file=<em>&lt;bundle-file-path&gt;</em> -n=eclipse-che</pre>
</div>
</div>
<div class="paragraph">
<p>To apply more than one bundle, add another <code>-from-file=<em>&lt;bundle-file-path&gt;</em></code>. Alternatively, create another ConfigMap.</p>
</div>
</li>
<li>
<p>Label created ConfigMaps with the <code>app.kubernetes.io/part-of=che.eclipse.org</code> and <code>app.kubernetes.io/component=ca-bundle</code> labels:</p>
<div class="listingblock">
<div class="content">
<pre>$ kubectl label configmap custom-certs app.kubernetes.io/part-of=che.eclipse.org app.kubernetes.io/component=ca-bundle -n &lt;che-namespace-name&gt;</pre>
</div>
</div>
</li>
<li>
<p>Deploy Che if it hasn&#8217;t been deployed before. Otherwise wait until the rollout of Che components finishes.</p>
</li>
<li>
<p>Restart running workspaces for the changes to take effect.</p>
</li>
</ol>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_troubleshooting_imported_certificate_issues"><a class="anchor" href="#_troubleshooting_imported_certificate_issues"></a>Troubleshooting imported certificate issues</h2>
<div class="sectionbody">
<div class="paragraph">
<p>If issues occur after adding the certificates, verify the specified values at the Che instance level and workspace level.</p>
</div>
<div class="ulist">
<div class="title">Verifying imported certificates at the Che instance level</div>
<ul>
<li>
<p>In case of a Che <a href="https://docs.openshift.com/container-platform/latest/operators/understanding/olm-what-operators-are.html">Operator</a> deployment, the namespace where the <code>CheCluster</code> is located contains labeled ConfigMaps with the correct content:</p>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl get cm --selector=app.kubernetes.io/component=ca-bundle,app.kubernetes.io/part-of=che.eclipse.org -n eclipse-che</pre>
</div>
</div>
<div class="paragraph">
<p>Check the content of ConfigMap by entering:</p>
</div>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl get cm <em>&lt;name&gt;</em> -n eclipse-che -o yaml</pre>
</div>
</div>
</li>
<li>
<p>Che Pod Volumes list contains a volume that uses <code>ca-certs-merged</code> ConfigMap as data-source.
To get the list of Volumes of the Che Pod, run:</p>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl get pod -o json <em>&lt;che-pod-name&gt;</em> -n eclipse-che | jq .spec.volumes</pre>
</div>
</div>
</li>
<li>
<p>Che mounts certificates in the <code>/public-certs/</code> folder of the Che server container. To view the list of files in this folder, enter:</p>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl exec -t <em>&lt;che-pod-name&gt;</em> -n eclipse-che -- ls /public-certs/</pre>
</div>
</div>
</li>
<li>
<p>In the Che server logs, there is a line for every certificate added to the Java truststore, including configured Che certificates. View them:</p>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl logs <em>&lt;che-pod-name&gt;</em> -n eclipse-che</pre>
</div>
</div>
</li>
<li>
<p>Che server Java truststore contains the certificates. The certificates SHA1 fingerprints are among the list of the SHA1 of the certificates included in the truststore. View the list:</p>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl exec -t <em>&lt;che-pod-name&gt;</em> -n eclipse-che -- keytool -list -keystore /home/user/cacerts
Your keystore contains 141 entries:
+
(...)</pre>
</div>
</div>
<div class="paragraph">
<p>To get the SHA1 hash of a certificate on the local filesystem, run:</p>
</div>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ openssl x509 -in <em>&lt;certificate-file-path&gt;</em> -fingerprint -noout
SHA1 Fingerprint=3F:DA:BF:E7:A7:A7:90:62:CA:CF:C7:55:0E:1D:7D:05:16:7D:45:60</pre>
</div>
</div>
</li>
</ul>
</div>
<div class="ulist">
<div class="title">Verifying imported certificates at the workspace level</div>
<ul>
<li>
<p>Start a workspace, obtain the namespace name in which it has been created and wait for the workspace to be started.</p>
</li>
<li>
<p>Get the name of the workspace Pod:</p>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl get pods -o=jsonpath='{.items[0].metadata.name}' -n <em>&lt;workspace namespace&gt;</em> | grep '^workspace.*'</pre>
</div>
</div>
</li>
<li>
<p>Get the name of the Che-Theia IDE container in the workspace Pod:</p>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl get -o json pod <em>&lt;workspace pod name&gt;</em> -n <em>&lt;workspace namespace&gt;</em> | \
jq -r '.spec.containers[] | select(.name | startswith("theia-ide")).name'</pre>
</div>
</div>
</li>
<li>
<p>Look for a <code>ca-certs</code> ConfigMap inside the workspace namespace:</p>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl get cm ca-certs <em>&lt;workspace namespace&gt;</em></pre>
</div>
</div>
</li>
<li>
<p>Check that the entries in the <code>ca-certs</code> ConfigMap contain all the additional entries you added before. In addition, it can contain <code>ca-bundle.crt</code> reserved entry. View the entries:</p>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl get cm ca-certs -n <em>&lt;workspace namespace&gt;</em> -o json | jq -r '.data | keys[]'
ca-bundle.crt
source-config-map-name.data-key.crt</pre>
</div>
</div>
</li>
<li>
<p>Confirm that the <code>ca-certs</code> ConfigMap is added as a volume in the workspace Pod:</p>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl get -o json pod <em>&lt;workspace pod name&gt;</em> -n <em>&lt;workspace namespace&gt;</em> | \
jq '.spec.volumes[] | select(.configMap.name == "ca-certs")'
{
"configMap": {
"defaultMode": 420,
"name": "ca-certs"
},
"name": "che-self-signed-certs"
}</pre>
</div>
</div>
</li>
<li>
<p>Confirm that the volume is mounted into containers, especially in the Che-Theia IDE container:</p>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl get -o json pod <em>&lt;workspace pod name&gt;</em> -n <em>&lt;workspace namespace&gt;</em> | \
jq '.spec.containers[] | select(.name == "<em>&lt;theia ide container name&gt;</em>").volumeMounts[] | select(.name == "che-self-signed-certs")'
{
"mountPath": "/public-certs",
"name": "che-self-signed-certs",
"readOnly": true
}</pre>
</div>
</div>
</li>
<li>
<p>Inspect the <code>/public-certs</code> folder in the Che-Theia IDE container and check if its contents match the list of entries in the <code>ca-certs</code> ConfigMap:</p>
<div class="listingblock white-space-pre">
<div class="content">
<pre class="nowrap">$ kubectl exec <em>&lt;workspace pod name&gt;</em> -c <em>&lt;theia ide container name&gt;</em> -n <em>&lt;workspace namespace&gt;</em> -- ls /public-certs
ca-bundle.crt
source-config-map-name.data-key.crt</pre>
</div>
</div>
</li>
</ul>
</div>
</div>
</div>
</article>
</div>
</main>
</div>
<footer class="footer">
<div>
<a href="https://www.eclipse.org/che/sitemap.xml" target="_blank">Site Map</a> |
<a href="https://www.eclipse.org" target="_blank">Eclipse Foundation</a> |
<a href="https://www.eclipse.org/legal/privacy.php" target="_blank">Privacy Policy</a> |
<a href="https://www.eclipse.org/legal/termsofuse.php" target="_blank">Terms of Use</a> |
<a href="https://www.eclipse.org/legal/epl-2.0/" target="_blank">Eclipse Public License</a> |
<a href="https://www.eclipse.org/legal" target="_blank">Legal Resources</a></div>
</footer>
<script src="../../../../docs/_/js/site.js"></script>
<script async src="../../../../docs/_/js/vendor/highlight.js"></script>
<script src="../../../../docs/_/js/vendor/lunr.js"></script>
<script src="../../../../docs/_/js/search-ui.js" id="search-ui-script" data-site-root-path="../../../.." data-snippet-length="142" data-stylesheet="../../../../docs/_/css/search.css"></script>
<script async src="../../../../search-index.js"></script>
</body>
</html>