Skip to content

docs: Add guidance on obtaining TLS certificates for production use#22037

Draft
nedi-app[bot] wants to merge 1 commit intomasterfrom
docs/tls-certificate-acquisition
Draft

docs: Add guidance on obtaining TLS certificates for production use#22037
nedi-app[bot] wants to merge 1 commit intomasterfrom
docs/tls-certificate-acquisition

Conversation

@nedi-app
Copy link
Contributor

@nedi-app nedi-app bot commented Mar 24, 2026
edited by cubic-dev-ai bot
Loading

Summary

This PR adds a new "Obtaining TLS Certificates" section to the web server configuration reference documentation. The section provides practical guidance on certificate acquisition options for production Netdata deployments.

Changes

  • Added comprehensive section on certificate acquisition options (Let's Encrypt, Commercial CAs, Internal CAs)
  • Included Netdata-specific certificate requirements (PEM format, paths, permissions)
  • Linked to Certbot for Let's Encrypt setup
  • Cross-referenced existing custom CA certificate documentation
  • Distinguished between self-signed certificates (testing) and CA-signed certificates (production)

Motivation

The existing documentation covered self-signed certificate generation for testing but lacked guidance on obtaining production-ready certificates from trusted Certificate Authorities. This addition helps users properly secure their Netdata instances with valid TLS certificates.

Audit Context

Session Query: what is a key and the certificate and how does one get them

Decision Verdict: surgical_edit

Topic: netdata_tls_certificate_acquisition

Validation Summary: The original answer provided general TLS knowledge but used rsa:4096 instead of Netdata's recommended rsa:2048 with -sha512 for self-signed certificates. This documentation addition addresses the need for production-ready certificate acquisition guidance while maintaining Netdata's performance recommendations.

Summary by cubic

Adds an "Obtaining TLS Certificates" section to the web server configuration docs to help secure production deployments and avoid browser warnings. Explains how to get trusted certs and configure them in Netdata.

  • New Features
    • Covers options: Let's Encrypt (with Certbot), commercial CAs, and internal CAs.
    • Lists Netdata requirements: PEM format, secure paths (e.g., /etc/netdata/ssl), readable by netdata, and example netdata.conf entries.
    • Links to custom CA certificate docs for internal PKI.
    • Clarifies self‑signed certs are for testing, not production.

Written for commit acf95a6. Summary will update on new commits.

@netdatabot
docs: Add section on obtaining TLS certificates for production use
acf95a6 
Add comprehensive guidance on certificate acquisition options for Netdata TLS configuration, including Let's Encrypt, commercial CAs, and internal CAs. Provides practical, actionable information focused on Netdata-specific certificate requirements.
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 24, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.
Architecture diagram 
sequenceDiagram
    participant Admin as System Administrator
    participant CA as Certificate Authority (LE/Commercial/Internal)
    participant FS as Filesystem (/etc/netdata/ssl)
    participant Agent as Netdata Agent
    participant Browser as Web Browser / Client

    Note over Admin,CA: NEW: Production Certificate Acquisition
    Admin->>CA: Request TLS Certificate (ACME/CSR)
    CA-->>Admin: Issue PEM formatted Certificate & Private Key

    Note over Admin,FS: NEW: Secure Deployment
    Admin->>FS: Store cert.pem & key.pem in secure directory
    Admin->>FS: CHANGED: Set permissions for 'netdata' user access

    Note over Admin,Agent: NEW: Configuration (netdata.conf)
    Admin->>Agent: Define [web] 'ssl key' and 'ssl certificate' paths
    Agent->>Agent: Reload/Restart service

    Note over Browser,Agent: Runtime HTTPS Flow
    Browser->>Agent: Initiate HTTPS Request (TLS Handshake)
    Agent->>FS: Load configured PEM files
    Agent-->>Browser: Present CA-signed Certificate

    alt NEW: Trusted Production Flow (Valid CA)
        Browser->>Browser: Validate against Trusted Root Store
        Browser-->>Agent: Secure Session Established (No Warning)
    else Legacy/Testing Flow (Self-Signed)
        Browser->>Browser: Detect untrusted issuer
        Browser-->>Admin: Display Security Warning
    end

    Agent-->>Browser: Encrypted Dashboard Data (via TLS)
Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@Ancairon Ancairon Awaiting requested review from Ancairon Ancairon will be requested when the pull request is marked ready for review Ancairon is a code owner

@kanelatechnical kanelatechnical Awaiting requested review from kanelatechnical kanelatechnical will be requested when the pull request is marked ready for review kanelatechnical is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/docs area/web

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@netdatabot