[ARVADOS] updated: 261fe4c689858952b19991e0055eda669ab144af

git at public.curoverse.com git at public.curoverse.com
Thu Aug 6 15:48:54 EDT 2015


Summary of changes:
 doc/install/install-manual-prerequisites.html.textile.liquid | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

       via  261fe4c689858952b19991e0055eda669ab144af (commit)
      from  427d9052d59ca7819acba9fb2e5f381d3e44a53e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 261fe4c689858952b19991e0055eda669ab144af
Author: Brett Smith <brett at curoverse.com>
Date:   Thu Aug 6 15:48:24 2015 -0400

    Haha, no seriously, don't deploy Workbench with snakeoil certs.
    
    No issue #.

diff --git a/doc/install/install-manual-prerequisites.html.textile.liquid b/doc/install/install-manual-prerequisites.html.textile.liquid
index bca1699..52a51a1 100644
--- a/doc/install/install-manual-prerequisites.html.textile.liquid
+++ b/doc/install/install-manual-prerequisites.html.textile.liquid
@@ -87,7 +87,16 @@ There are six public-facing services that require an SSL certificate. If you do
 
 {% include 'notebox_begin' %}
 
-Users will probably not be able to upload data through Workbench if you use self-signed certificates.  Web browsers will not upload data unless they can verify the authenticity of the API server and Keepproxy SSL certificates.
+Most Arvados clients and services will accept self-signed certificates when the @ARVADOS_API_HOST_INSECURE@ environment variable is set to @true at .  However, web browsers generally do not make it easy for users to accept self-signed certificates from Web sites.
+
+Users who log in through Workbench will visit three sites: the SSO server, the API server, and Workbench itself.  When a browser visits each of these sites, it will warn the user if the site uses a self-signed certificate, and the user must accept it before continuing.  This procedure usually only needs to be done once in a browser.
+
+After that's done, Workbench includes JavaScript clients for other Arvados services.  Users are usually not warned if these client connections are refused because the server uses a self-signed certificate, and it is especially difficult to accept those cerficiates:
+
+* JavaScript connects to the Websockets server to provide incremental page updates and view logs from running jobs.
+* JavaScript connects to the API and Keepproxy servers to upload local files to collections.
+
+In sum, Workbench will be much less pleasant to use in a cluster that uses self-signed certificates.  You should avoid using self-signed certificates unless you plan to deploy a cluster without Workbench; you are deploying only to evaluate Arvados as an individual system administrator; or you can push configuration to users' browsers to trust your self-signed certificates.
 
 {% include 'notebox_end' %}
 

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list