Securing communication with TLS

ENTERPRISE

In permissive and strict security modes, your DC/OS certificate authority (CA) signs the TLS certificates and provisions them to systemd-started services during the bootstrap sequence. This accomplishes encrypted communications with no manual intervention. Each DC/OS cluster has its own DC/OS CA and a unique root certificate.

Because your DC/OS CA does not appear in any lists of trusted certificate authorities, requests coming in from outside the cluster, such as from a browser or curl, will result in warning messages. To establish trusted communications with your DC/OS cluster and stop the warning messages:

  1. Obtain the DC/OS CA bundle.

  2. Perform one of the following:

Configuring HAProxy in Front of Admin Router

You can use HAProxy to set up an HTTP proxy in front of the DC/OS Admin Router. For example, this can be useful if you want to present a custom server certificate to user agents connecting to the cluster via HTTPS. DC/OS does not currently support adding your own certificates directly into Admin Router.…Read More

Using a Custom CA Certificate

ENTERPRISE

Each DC/OS Enterprise cluster has its own DC/OS certificate authority (CA). By default, that CA uses a globally unique root CA certificate generated during the installation of DC/OS. That root CA certificate is used for signing certificates for the components of DC/OS, such as Admin Router. In lieu of using the auto-generated root CA certificate, you can configure DC/OS Enterprise to use a custom CA certificate, which is either a root CA certificate or an intermediate CA certificate. (see examples below)…Read More

Obtaining the DC/OS CA bundle

ENTERPRISE

To ensure that you are communicating with your DC/OS cluster and not another potentially malicious party, you must obtain the appropriate trust anchor. This trust anchor is part of the DC/OS CA bundle which is a collection of root CA certificates. In the simplest case, it just contains one item: the root CA certificate corresponding to the DC/OS certificate authority. You can obtain the DC/OS CA bundle, using one of these methods:…Read More

Configuring browsers to trust your DC/OS CA

ENTERPRISE

How to configure Chrome and Firefox to trust your DC/OS CA. …Read More

Configuring the DC/OS CLI to trust your DC/OS CA

ENTERPRISE

By default, the DC/OS CLI does not verify the signer of TLS certificates. We recommend completing the following brief procedure to ensure that the DC/OS CLI trusts only your DC/OS CA and refuses connections with other parties. …Read More

Establishing trust in your curl commands

ENTERPRISE

If you have not set up a proxy, you should use `--cacert dcos-ca.crt` in your curl commands in `permissive` and `strict` security modes. …Read More

Certificate Authority API

ENTERPRISE

The Certificate Authority API allows you to view the TLS certificates used by DC/OS Enterprise, create Certificate Signing Requests (CSRs), and have the DC/OS CA sign CSRs. …Read More