Cockpit - installation and certificates

Installing cockpit

Instructions are for Ubuntu 17.04 onwards.

Run -

sudo apt-get install cockpit

Cockpit uses port 9090, which you will need to allow through the firewall.

sudo ufw allow 9090

To make the Cockpit web interface start automatically after system boot the cockpit.socket needs to be enabled. Only systems that you connect to with your browser need to have the cockpit.socket enabled. To do so, run -

sudo systemctl enable cockpit.socket

Certificates

When using Cockpit, if you do not provide your own certificates, it will generate its own self-signed certificates. These are ok but don't create a completely secure HTTPS connection. If you already have LetsEncrypt certificates generated by Certbot, you can use this method in order to make Cockpit use them. It all revolves around a bash script and Cron.

updateCockpitCert.sh - to use this file, replace FQDN's content with your domain name, as found at /etc/letsencrypt/live/. After using this for the first time, you should rename the self signed certificate in /etc/cockpit/ws-certs.d to a file extension that isn't .cert (eg 0-self-signed.cert to 0-self-signed.cert.off).

#!/bin/bash

FQDN="www.tdpain.net"
DATE=`date`

# Copy files
cd /etc/cockpit/ws-certs.d
cat /etc/letsencrypt/live/"$FQDN"/cert.pem > "$FQDN".cert
cat /etc/letsencrypt/live/"$FQDN"/privkey.pem >> "$FQDN".cert
# Restart cockpit for changes to take effect
systemctl restart cockpit

echo "${DATE}: Cockpit cert update failed successfully"

Cron entry:

5 */12 * * * sudo bash /path/to/updateCockpitCert.sh > /path/to/CockpitCertUpdate.log

This will run at 5 minutes past every 12th hour (so 00:05am , 12:05pm), which is 5 minutes after Certbot's automated certificate renewal runs.


Source - https://www.schotty.com/EL_And_Fedora/EL7_Cockpit/