When I bought my new workstation - those Ryzen beasts are FAST! - I decided I would build my new lab properly, and with properly, I meant with proper SSL certificates for all apps.
So I set up Red Hat IdM on a simple VM, and then imported the CA into my browser. From that point on, all of my lab VMs are new running with a certificate signed by that CA. Nice green lock icons in my browser. Yay!
I’ve built a RHV cluster, a Satellite 6 machine, with two Capsules, an Ansible Tower node, and more infrastructure, just to play with, all with proper certificates signed by my IdM CA.
That last hurdle was to setup Cockpit on all my VMs, and use a proper certificate for that as well.
For ‘normal’ VMs, that fairly easy, but my Capsules (and the Satellite itself) have processes that try to bind to the same port as Cockpit.
The workaround is simple and solid, and I’m documenting it here for posterity:
First, you install the Cockpit software itself:
But because Cockpit needs to bind on another port, we will override it’s unit file (as root):
We need to open a port for Cockpit to be reachable from the outside:
And tell SELinux to actually allow Cockpit to bind to that port, too:
Finally, we’ll use the Capsules certificate and private key (I stored them in /etc/capscerts) to create a single file that Cockpit will use (as root):
Finally, we restart the Cockpit socket
And we’re done!