Securing communication with TLS

In DC/OS open source, you can set up secure HTTPS communication using a custom server certificate with your DC/OS cluster by setting up a proxy between the Admin Router and user agent requests coming in from outside of the cluster.

In DC/OS Enterprise permissive and strict security modes, your DC/OS Certificate Authority signs the TLS certificates and provisions them to systemd-started services during the bootstrap sequence. This accomplishes encrypted communications with no manual intervention. Each DC/OS cluster has its own DC/OS Certificate Authority and a unique root certificate to protect DC/OS clusters from each other.

Because your DC/OS Certificate Authority does not appear in any lists of trusted certificate authorities, requests coming in from outside the cluster, such as from a browser or curl, will result in warning messages.

To establish trusted communications with your DC/OS cluster and stop the warning messages:

  1. Obtain the root certificate of your DC/OS CA.

  2. Perform one of the following.

    • Manually add your DC/OS Certificate Authority as a trusted authority in browser, DC/OS CLI, curl commands, and other clients.

    • Set up a proxy between the Admin Router and user agent requests coming in from outside of the cluster.

Configuring HAProxy in Front of Admin Router

You can use HAProxy to set up an HTTP proxy in front of the DC/OS Admin Router. For example, this can be useful if you want to present a custom server certificate to user agents connecting to the cluster via HTTPS. DC/OS does not currently support adding your own certificates directly into Admin Router.…Read More

Obtaining the DC/OS CA bundle

ENTERPRISE

To ensure that you are communicating with your DC/OS cluster and not another potentially malicious party, you must obtain the appropriate trust anchor. This trust anchor is part of the DC/OS CA bundle which is a collection of root CA certificates. In the simplest case, it just contains one item: the root CA certificate corresponding to the DC/OS certificate authority. You can obtain the DC/OS CA bundle, using one of these methods:…Read More

Configuring browsers to trust your DC/OS CA

ENTERPRISE

How to configure Chrome and Firefox to trust your DC/OS CA. …Read More

Configuring the DC/OS CLI to trust your DC/OS CA

ENTERPRISE

By default, the DC/OS CLI does not verify the signer of TLS certificates. We recommend completing the following brief procedure to ensure that the DC/OS CLI trusts only your DC/OS CA and refuses connections with other parties. …Read More

Establishing trust in your curl commands

ENTERPRISE

If you have not set up a proxy, you should use `--cacert dcos-ca.crt` in your curl commands in `permissive` and `strict` security modes. …Read More

Certificate Authority API

ENTERPRISE

The Certificate Authority API allows you to view the TLS certificates used by DC/OS Enterprise, create Certificate Signing Requests (CSRs), and have the DC/OS CA sign CSRs. …Read More