Che: What is the easy way to get Che CA cert for end-user

/cc @mmorhun

@sleshchenko that's interesting issue.
As about possible ways to resolve. First what comes into my mind is to create new chectl command which will retrieve CA certificate (as chectl has cluster wide rights) and write it into a file which could be imported into a browser. Downside of it is that only cluster admins will be able to use this approach.

I also do not mind about Che master endpoint to serve the public part of CA certificate. But you mentioned some security issues there, could you please elaborate on them?

Also we may retrieve public part of Che server certificate by just querying it (we may use chectl without admin rights for the cluster, for example). But I am not sure that this is the best idea. The good way to go is using CA public certificate as Che servers's one might be renewed after some time and this will force users to redo the procedure again and again.

I also do not mind about Che master endpoint to serve the public part of CA certificate. But you mentioned some security issues there, could you please elaborate on them?

I can imagine a situation when the attacker owns the network which you use and replaces some endpoints, like Che one.
Then they will be able to let you download any self-signed CA they need, after you import it into a browser - all attacker endpoints will be trusted for you.
I'm not sure it's technically possible or even makes sense. It's just my imagination
@skryzhny You know more about networks, do you think it's safe to server public CA cert via CHe Server?

Also we may retrieve public part of Che server certificate by just querying it (we may use chectl without admin rights for the cluster, for example). But I am not sure that this is the best idea.

Maybe I do something wrong but Firefox does not allow to import end (CA:false) certificate. Could you recheck it on your side?

I can imagine a situation when the attacker owns the network which you use and replaces some endpoints, like Che one.

Then retraiving the certificate by querying Che server is not safe too.

In this case the only secure way is to pass the CA public certificate directly to the users. And this would be task of Che server administrator.

We can't determine if user trusts network or not.
Only thing I can imagine - create a web-page that contains a download link to CA and warning about possible risks if user accesses that page over untrusted network.

Probably it should be only page that serves unencrypted traffic.

@sleshchenko
we added chectl cacert:export command to retrieves Eclipse Che self-signed certificate.
Does it solve your issue?

Does it solve your issue?

I think so.
Fixed by https://github.com/che-incubator/chectl/pull/669