In DC/OS open source, you can set up secure HTTPS communication using a custom server certificate with your DC/OS cluster by setting up a proxy between the Admin Router and user agent requests coming in from outside of the cluster.
In DC/OS Enterprise
strict security modes, your DC/OS Certificate Authority signs the TLS certificates and provisions them to systemd-started services during the bootstrap sequence. This accomplishes encrypted communications with no manual intervention. Each DC/OS cluster has its own DC/OS Certificate Authority and a unique root certificate to protect DC/OS clusters from each other.
Because your DC/OS Certificate Authority does not appear in any lists of trusted certificate authorities, requests coming in from outside the cluster, such as from a browser or curl, will result in warning messages.
To establish trusted communications with your DC/OS cluster and stop the warning messages:
Perform one of the following.
Configuring HAProxy in Front of Admin Router
You can use HAProxy to set up an HTTP proxy in front of the DC/OS Admin Router. For example, this can be useful if you want to present a custom server certificate to user agents connecting to the cluster via HTTPS. DC/OS does not currently support adding your own certificates directly into Admin Router.…Read More
Obtaining the DC/OS CA bundle
To ensure that you are communicating with your DC/OS cluster and not another potentially malicious party, you must obtain the appropriate trust anchor. This trust anchor is part of the DC/OS CA bundle which is a collection of root CA certificates. In the simplest case, it just contains one item: the root CA certificate corresponding to the DC/OS certificate authority. You can obtain the DC/OS CA bundle, using one of these methods:…Read More
Configuring browsers to trust your DC/OS CA
How to configure Chrome and Firefox to trust your DC/OS CA. …Read More
Configuring the DC/OS CLI to trust your DC/OS CA
By default, the DC/OS CLI does not verify the signer of TLS certificates. We recommend completing the following brief procedure to ensure that the DC/OS CLI trusts only your DC/OS CA and refuses connections with other parties. …Read More
Establishing trust in your curl commands
If you have not set up a proxy, you should use `--cacert dcos-ca.crt` in your curl commands in `permissive` and `strict` security modes. …Read More
Certificate Authority API
The Certificate Authority API allows you to view the TLS certificates used by DC/OS Enterprise, create Certificate Signing Requests (CSRs), and have the DC/OS CA sign CSRs. …Read More