N1C CSG unmanaged certificates #1597
+134
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,115 @@ | ||||||||||
| --- | ||||||||||
| nd-content-type: concept | ||||||||||
| nd-docs: DOCS-000 | ||||||||||
| nd-product: NONECO | ||||||||||
| title: Unmanaged certificates in Config Sync Groups | ||||||||||
| toc: true | ||||||||||
| weight: 200 | ||||||||||
| --- | ||||||||||
|
|
||||||||||
| ## Overview | ||||||||||
|
|
||||||||||
| Unmanaged certificates are SSL/TLS certificates that you install and manage manually on NGINX instances. Unlike managed certificates that are uploaded and distributed through the NGINX One Console, unmanaged certificates are installed directly on individual instances and referenced by their file paths in NGINX configuration files. You are responsible for distributing, updating, and maintaining these certificates across your infrastructure. | ||||||||||
|
|
||||||||||
| ### Unmanaged certificates in Config Sync Groups | ||||||||||
|
Contributor
There was a problem hiding this comment. Markdown format rule (look up MD022)
Suggested change
|
||||||||||
| Config Sync Groups (CSGs) in NGINX One Console ensure configuration consistency across connected NGINX instances. While managed certificates uploaded through the Console are automatically synchronized and tracked, unmanaged certificates follow a different model that provides visibility without automated management. | ||||||||||
|
Contributor
There was a problem hiding this comment. Moving phrase to the start of the next paragraph.
Suggested change
|
||||||||||
|
|
||||||||||
| When you use unmanaged certificates in a CSG, NGINX One Console does not synchronize the certificate files themselves. However, it tracks their metadata to help you verify consistency across instances and understand the state of your certificates. | ||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||
|
|
||||||||||
| ## How unmanaged certificates work in Config Sync Groups | ||||||||||
|
|
||||||||||
|
Contributor
There was a problem hiding this comment. Suggestion (not a requirement): add an intro to the subsections that follow:
Suggested change
|
||||||||||
| ### Certificate tracking and visibility | ||||||||||
|
|
||||||||||
| When you use unmanaged certificates in a Config Sync Group: | ||||||||||
|
|
||||||||||
| - The NGINX Agent collects certificate metadata from each instance | ||||||||||
| - The Console displays unmanaged certificates based on their file paths and metadata | ||||||||||
| - Certificate consistency is determined by comparing certificate contents and file paths across instances | ||||||||||
|
|
||||||||||
| ### Consistent certificates | ||||||||||
|
|
||||||||||
| When all instances in a CSG reference identical certificate files with the same file paths: | ||||||||||
|
|
||||||||||
| - Their contents and metadata match across all instances | ||||||||||
| - The CSG displays a single unmanaged certificate entry for that file path | ||||||||||
|
|
||||||||||
| ### Inconsistent certificates | ||||||||||
|
|
||||||||||
| If certificate contents differ between instances, even when file paths are the same: | ||||||||||
|
|
||||||||||
| - Each unique certificate appears as a separate unmanaged entry in the Console | ||||||||||
| - Certificates are identified by their content and associated instance | ||||||||||
| - The CSG displays separate certificate entries in the configuration | ||||||||||
|
|
||||||||||
| If certificate file paths differ between instances: | ||||||||||
|
Contributor
There was a problem hiding this comment. If it's actually CSG publication that may fail, I suggest revising this to:
Suggested change
|
||||||||||
|
|
||||||||||
| - CSG publication may fail | ||||||||||
|
Contributor
There was a problem hiding this comment. Just checking. Is it CSG or certificate publication that can fail?
Contributor
There was a problem hiding this comment. If it is CSG publication that can fail, I'd change current line 44 (comment added there) |
||||||||||
| - The CSG configuration will be out of sync | ||||||||||
| - Instances may not receive proper configuration updates | ||||||||||
|
|
||||||||||
| ## Requirements for unmanaged certificates | ||||||||||
|
|
||||||||||
| To use unmanaged certificates effectively in Config Sync Groups, you must: | ||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||
|
|
||||||||||
| - **Manual installation**: Install certificates manually on each NGINX instance in the CSG | ||||||||||
| - **Identical file paths**: Ensure that file paths referencing unmanaged certificates are identical across all instances | ||||||||||
| - **Content consistency**: Maintain identical certificate file contents across all instances to ensure proper tracking | ||||||||||
| - **User responsibility**: Take full responsibility for certificate distribution, updates, and consistency | ||||||||||
|
|
||||||||||
| ## Important considerations | ||||||||||
|
|
||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||
| ### Certificate tracking | ||||||||||
|
|
||||||||||
| - The NGINX One Console tracks unmanaged certificates by their content and file paths | ||||||||||
| - When certificates are consistent across all instances, their contents and metadata match, and a single consolidated entry appears in the CSG | ||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||
| - If certificate content differs between instances, multiple unique unmanaged certificates are displayed as separate entries | ||||||||||
|
|
||||||||||
| ### Synchronization limitations | ||||||||||
|
|
||||||||||
| - **No automated sync**: Unmanaged certificates are not synchronized by the Console | ||||||||||
| - **Manual updates**: You must manually update certificates on each instance when they expire or need rotation | ||||||||||
|
Contributor
There was a problem hiding this comment. For consistency:
Suggested change
|
||||||||||
| - **No validation**: The Console does not perform validation or rotation logic for unmanaged certificates | ||||||||||
|
|
||||||||||
| ### Configuration options | ||||||||||
|
|
||||||||||
| If you don't want metadata tracking for unmanaged certificates, you can configure the NGINX Agent to ignore certificate directories using the `allowed_directories` setting. | ||||||||||
|
|
||||||||||
| ## Best practices | ||||||||||
|
|
||||||||||
| ### Converting to managed certificates | ||||||||||
|
Comment on lines
+77
to
+79
Contributor
There was a problem hiding this comment. I understand the parallel nature of what you've done. But it's a best practice to consolidate titles when there's only one subsection:
Suggested change
|
||||||||||
|
|
||||||||||
| To maintain consistent visibility and automated management across CSGs, consider converting unmanaged certificates to managed certificates by: | ||||||||||
|
|
||||||||||
| 1. Uploading them through the NGINX One Console | ||||||||||
| 2. Leveraging the managed certificate solution for automated synchronization | ||||||||||
| 3. Taking advantage of centralized certificate management features | ||||||||||
|
|
||||||||||
| ## Troubleshooting | ||||||||||
|
|
||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||
| ### Certificate inconsistencies | ||||||||||
|
|
||||||||||
| If you see multiple entries for what should be the same certificate: | ||||||||||
|
Contributor
There was a problem hiding this comment. I see you've numbered these options. In general, I number steps when users have to do them, in order. If ordering is not required, I'd replace the numbers with bullets |
||||||||||
|
|
||||||||||
| 1. Verify that file paths are identical across all instances | ||||||||||
| 2. Check that certificate file contents match across all instances | ||||||||||
| 3. Ensure certificates were installed correctly on all instances | ||||||||||
| 4. Review NGINX Agent logs for any collection issues | ||||||||||
|
|
||||||||||
| If CSG publication is failing or configurations are out of sync: | ||||||||||
|
|
||||||||||
| 1. Confirm that all certificate file paths are identical across instances | ||||||||||
| 2. Verify that referenced certificate files exist on all instances | ||||||||||
| 3. Check NGINX configuration syntax for certificate references | ||||||||||
|
|
||||||||||
| ### Visibility issues | ||||||||||
|
|
||||||||||
| If unmanaged certificates aren't appearing in the Console: | ||||||||||
|
|
||||||||||
| 1. Confirm that the NGINX Agent is running and connected | ||||||||||
| 2. Check that certificate directories are not excluded by `allowed_directories` settings | ||||||||||
| 3. Verify that NGINX configuration files correctly reference the certificate paths | ||||||||||
|
|
||||||||||
| ## Related topics | ||||||||||
|
|
||||||||||
| - [Manage Config Sync Groups]({{< ref "manage-config-sync-groups.md" >}}) | ||||||||||
| - [Add a file to a Config Sync Group]({{< ref "add-file-csg.md" >}}) | ||||||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.