- Notifications
You must be signed in to change notification settings - Fork100
Fix: clarify managed v. deployed certs#291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
✅ Deploy Preview will be available once build job completes!
|
7fc0462 toe0a508fCompareUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
| You can remove adeployed certificate from an independent instance or from a Config Sync Group. This will remove the certificate's association with theinstance or group, but it does not delete the certificate files from theinstance(s). | ||
| You can remove amanaged certificate from an independent instance or from a Config Sync Group. This will remove the certificate's association with theInstance or group, but it does not delete the certificate files from theInstance(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| You can remove a managed certificate froman independent instance orfrom aConfig Sync Group.Thiswill remove the certificate's association withtheInstance or group, but it does notdelete thecertificate files from theInstance(s). | |
| From the configuration editor where you normally modify NGINX configuration files ofan independent instance orConfig Sync Group, you can click on the "delete" icon of a managed certificate object that was previously deployed to the instance orConfig Sync Group.You should be able to see the file paths where it was deployed to. Deleting the managed certificate from the NGINX configuration editorwill remove the certificate files from those file paths. Ifthecertificate object is a certificate-key pair, and the private key was deployed, you could optionally choose todelete thedeployed key from theindependent instance or Config Sync Group, by clicking on the "delete" icon next to the private key file. |
Here is a rough summary of what users could do. Feel free to change the wording and improve this paragraph further! : )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| You canremove amanagedcertificate from an independent instance or from a Config Sync Group. This will removethecertificate's association with the Instance or group, but it does not delete the certificate files from the Instance(s). | |
| You candeletemanagedcertificates inthefollowing ways: | |
| - Navigate to[View and edit NGINX configurations]({{< relref "/nginx-one/how-to/nginx-configs/view-edit-nginx-configurations/" >}}) | |
| - You can then delete the certificate from the Instance of your choice. | |
| - Navigate to[Manage Config Sync Groups]({{< relref "/nginx-one/how-to/config-sync-groups/manage-config-sync-groups" >}}) | |
| - You can then delete the certificate from the Config Sync Group of your choice. | |
| - Review the list of existing certificates | |
| - From the **Actions** menu, you can then delete that certificate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
- Review the list of existing certificates
- From theActions menu, you can then delete that certificate
This would be incorrect. The "Actions" menu is from the cert management page, where users can choose to delete a certificate object from N1 Console. However, the contexts here are that users can remove a deployed certificate file from an instance or a CSG. If users want to remove a cert deployment from a specific instance or CSG, they should only be able to do that through the config editor (where users edit NGINX configuration for an instance or a CSG). It would also be helpful to clarify that when users click on the delete icon from the config editor, they would delete the deployed certificate or key file fromspecific file paths.
- Navigate to [Manage Config Sync Groups]({{< relref "/nginx-one/how-to/config-sync-groups/manage-config-sync-groups" >}})
- You can then delete the certificate from the Config Sync Group of your choice.
https://frontdoor-test-docs.nginx.com/previews/docs/291/nginx-one/how-to/nginx-configs/manage-config-sync-groups/
In addition, I wasn't able to find any instructions on how users could delete the certificate from a Config Sync Group in this page, so this could be confusing to the reader.
I'm thinking that deleting a certificate file is a special case for deleting an aux file. Since we have a page that documents how to add a file, should we also add a new page that documents how to remove a file? That might be easier in comparison to trying to fit all the details into a small section in the cert management doc.
https://frontdoor-test-docs.nginx.com/previews/docs/291/nginx-one/how-to/nginx-configs/add-file/
https://frontdoor-test-docs.nginx.com/previews/docs/291/nginx-one/how-to/config-sync-groups/add-file-csg/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Thank you for opening a new PR to address this. The new changes look good!
| Everyinstance with adeployedcertificate includes paths to certificates in their configuration files. If you removethe deployed file path toone certificate, that change is limited to that oneinstance. | ||
| EveryInstance with a certificate includes paths to certificates in their configuration files. If you remove one certificate, that change is limited to that oneInstance. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| Every Instance with acertificateincludes pathstocertificatesintheirconfigurationfiles. If youremoveone certificate, that change is limited to that one Instance. | |
| For a managedcertificatethat was deployed from the consoletoyour data plane instance, you might have chosen to reference the certificateinthe NGINXconfigurationfile, using the file paths specified in the certificate deployment. You can choose toremovethose certificate references from the NGINX configuration file through the console. This will not affect the deployed certificate on your data plane instance. The certificate and private key files if deployed, will remain on the data plane instance. | |
| If you would like to delete those certificate and private key files from your data plane, follow the instructions above and click on the "delete" icon next to those files in the NGINX configuration editor. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Hi@mjang, just checking in, what are your thoughts on this part of the doc?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I'd like to avoid references to "Data Plane", as we'll soon incorporateNGF data planes in N1C.
In any case, I think this is superseded byhttps://github.com/nginx/documentation/pull/291/files#diff-2445ce44d5814d8ceb795a09fa3672417a9d86c176326cf9ecbc3036b8fc5702R170-R178
Uh oh!
There was an error while loading.Please reload this page.
Co-authored-by: Sylvia Wang <139922338+sylwang@users.noreply.github.com>
Co-authored-by: Sylvia Wang <139922338+sylwang@users.noreply.github.com>
Co-authored-by: Sylvia Wang <139922338+sylwang@users.noreply.github.com>
59aab3b to6463be3Compare| ## Delete a deployed certificate | ||
| Every Config Sync Group also includes paths to managed certificates in its configuration files. If you remove a managed certificate to a Config Sync Group, that change affects all instances which belong to that Config Sync Group. | ||
| ## Delete a managed certificate | ||
| To delete a certificate, find the name in the **Certificates** screen. Find the **Actions** column associated with the certificate. Select the ellipsis (`...`) and then select **Delete**. Before deleting that certificate, you should see a warning. | ||
| If that certificate is managed and is part of a Config Sync Group, that change affects all instances in that group. | ||
| {{< warning >}} Be cautious if you want to delete certificates that are being used by an instance or a Config Sync Group. Deleting such certificates leads to failure in affected NGINX deployments. {{< /warning >}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
The only case when it would lead to publication failures for the instance or CSG associated with a certificate, is when users choose to delete a deployed certificate. Let's remove this warning from this section and add it to the section "Deleted a deployed certificate".
| @@ -155,22 +161,36 @@ You can modify existing certificates from the **Certificates** screen. Select th | |||
| If that certificate is already managed as part of a Config Sync Group, the changes you make affect all instances in that group. | |||
| ##Remove a deployed certificate | |||
| ##Delete a deployed certificate | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
The warning
{{< warning >}} Be cautious if you want to delete certificates that are being used in the NGINX configuration of an instance or a Config Sync Group. Deleting deployed certificates can lead to publication failure in affected NGINX instances or Config Sync Groups. {{< /warning >}}
should be added for this section.
| You can remove a deployed certificate from an independent instance or from a Config Sync Group. This will remove the certificate's association with the instance or group, but it does not delete the certificate files from the instance(s). | ||
| You can remove a deployed certificate from an independent instance or from a Config Sync Group. This action also deletes the certificate files or certificate-key pairs from the data plane Instance(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| You can remove a deployed certificate from an independent instance or from a Config Sync Group. This actionalsodeletes the certificate files or certificate-key pairs from the data plane Instance(s). | |
| You can remove a deployed certificate from an independent instance or from a Config Sync Group. This action deletes the CA certificate files or certificate-key pairs from the data plane Instance(s). |
| ## Delete a deployed certificate | ||
| Every Config Sync Group also includes paths to managed certificates in its configuration files. If you remove a managed certificate to a Config Sync Group, that change affects all instances which belong to that Config Sync Group. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| Every Config Sync Groupalso includes paths to managed certificates in its configuration files. If you remove a managed certificate to a Config Sync Group, that change affects all instances which belong to that Config Sync Group. | |
| Everyinstance orConfig Sync Groupmight include paths to managed certificates in its configuration files. If you remove a managed certificate to a Config Sync Group, that change affects all instances which belong to that Config Sync Group. |
Proposed changes
Closes#256
Checklist
Before merging a pull request, run through this checklist and mark each as complete.
README.mdandCHANGELOG.mdFootnotes
Potentially sensitive changes include anything involving code, personally identify information (PII), live URLs or significant amounts of new or revised documentation. Please refer toour style guide for guidance about placeholder content.↩