GuidesDiscussionChangelogLog In


Configuring TLS certificates and Certificate Authorities

User provided Certificate Authorities

You can provide additional Certificate Authorities (CA) certs at install time using the --ssl-ca flag. Depending on your host and network configuration, you may need to provide multiple certs, which is fully supported.

./gigactl install hub --backend docker --license-file ./gigantum.lic --settings-file ./settings.yaml --ssl-ca ./ca1.pem
./gigactl install hub --backend docker --license-file ./gigantum.lic --settings-file ./settings.yaml --ssl-ca ./ca1.pem --ssl-ca ./ca2.pem --ssl-ca ./ca3.pem

You can also combine multiple certs into a single file. During the install process, gigactl will automatically split the file up and install the certs into every necessary container for you.

An important thing to note is that all user provided CAs must also be added to your host's trust store during the installation. This is because during the install process gigactl will make requests to internal APIs that could fail TLS verification depending on your configuration.

In addition, remember that all Clients that connect to the server will also need these CA(s) configured . This often can be the case where you have an internally managed corporate root CA or SSL firewalls in your network.

User provided SSL Certificate

When installing a server, the paths to an SSL certificate and private key can be provided with the --ssl-cert and --ssl-cert-keys arguments, respectively. This certificate will then be used for the server ingress.

Note that depending on how you issued the certificate and the configuration of host systems that are running the Client and connecting to the server, SSL verification errors using the Client or Gigantum Desktop may occur. If it does, try providing the entire certificate chain as one file using the --ssl-cert argument at install time.

Also, remember that if the certificate was issued from a non-publicly recognized CA, you will need to provide that CA to the server installation and all Clients.

Self-signed SSL Certificates

When installing a server, a self-signed certificate can be automatically created and used. This is a quick way to get running, but is generally discouraged in most cases besides testing and development.

You will need to complete extra steps to use the server, as outlined in the Working with a Self-Signed Team Server section.

Automatic SSL Certificates using Let's Encrypt

If not using self-signed or user provided certificates, gigactl will automatically try to provision a certificate using Let's Encrypt. This process requires that port 80 is reachable from the public internet during the installation process for Let's Encrypt to complete the ACME challenge while issuing the certificate.