diff --git a/packaging/installer/kickstart.sh b/packaging/installer/kickstart.sh
index 63402825d8..dde738c281 100755
--- a/packaging/installer/kickstart.sh
+++ b/packaging/installer/kickstart.sh
@@ -1816,9 +1816,15 @@ try_static_install() {
opts="${opts} --accept"
fi
+ env_cmd="env NETDATA_CERT_TEST_URL=${NETDATA_CLAIM_URL} NETDATA_CERT_MODE=check"
+
+ if [ -n "${NETDATA_OFFLINE_INSTALL_SOURCE}" ]; then
+ env_cmd="env NETDATA_CERT_TEST_URL=${NETDATA_CLAIM_URL} NETDATA_CERT_MODE=auto"
+ fi
+
progress "Installing netdata"
# shellcheck disable=SC2086
- if ! run_as_root sh "${tmpdir}/${netdata_agent}" ${opts} -- ${NETDATA_INSTALLER_OPTIONS}; then
+ if ! run_as_root ${env_cmd} /bin/sh "${tmpdir}/${netdata_agent}" ${opts} -- ${NETDATA_INSTALLER_OPTIONS}; then
warning "Failed to install static build of Netdata on ${SYSARCH}."
run rm -rf /opt/netdata
return 2
diff --git a/packaging/makeself/install-or-update.sh b/packaging/makeself/install-or-update.sh
index e5397c9e8c..67be9d69c5 100755
--- a/packaging/makeself/install-or-update.sh
+++ b/packaging/makeself/install-or-update.sh
@@ -27,6 +27,8 @@ fi
STARTIT=1
REINSTALL_OPTIONS=""
+NETDATA_CERT_MODE="${NETDATA_CERT_MODE:-auto}"
+NETDATA_CERT_TEST_URL="${NETDATA_CERT_TEST_URL:-https://app.netdata.cloud}"
RELEASE_CHANNEL="nightly"
while [ "${1}" ]; do
@@ -48,6 +50,19 @@ while [ "${1}" ]; do
NETDATA_DISABLE_TELEMETRY=1
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}"
;;
+ "--certificates")
+ case "${2}" in
+ auto|system) NETDATA_CERT_MODE="auto" ;;
+ check) NETDATA_CERT_MODE="check" ;;
+ bundled) NETDATA_CERT_MODE="bundled" ;;
+ *) run_failed "Unknown certificate handling mode '${2}'. Supported modes are auto, check, system, and bundled."; exit 1 ;;
+ esac
+ shift 1
+ ;;
+ "--certificate-test-url")
+ NETDATA_CERT_TEST_URL="${2}"
+ shift 1
+ ;;
*) echo >&2 "Unknown option '${1}'. Ignoring it." ;;
esac
@@ -62,6 +77,14 @@ if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] ||
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --disable-telemetry"
fi
+if [ -n "${NETDATA_CERT_MODE}" ]; then
+ REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificates ${NETDATA_CERT_MODE}"
+fi
+
+if [ -n "${NETDATA_CERT_TEST_URL}" ]; then
+ REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificate-test-url ${NETDATA_CERT_TEST_URL}"
+fi
+
# -----------------------------------------------------------------------------
progress "Attempt to create user/group netdata/netadata"
@@ -208,26 +231,73 @@ done
# -----------------------------------------------------------------------------
-echo "Configure TLS certificate paths"
+replace_symlink() {
+ target="${1}"
+ name="${2}"
+ rm -f "${name}"
+ ln -s "${target}" "${name}"
+}
+
+select_system_certs() {
+ if [ -d /etc/pki/tls ] ; then
+ echo "${1} /etc/pki/tls for TLS configuration and certificates"
+ replace_symlink /etc/pki/tls /opt/netdata/etc/ssl
+ elif [ -d /etc/ssl ] ; then
+ echo "${1} /etc/ssl for TLS configuration and certificates"
+ replace_symlink /etc/ssl /opt/netdata/etc/ssl
+ fi
+}
+
+select_internal_certs() {
+ echo "Using bundled TLS configuration and certificates"
+ replace_symlink /opt/netdata/share/ssl /opt/netdata/etc/ssl
+}
+
+certs_selected() {
+ [ -L /opt/netdata/etc/ssl ] || return 1
+}
+
+test_certs() {
+ /opt/netdata/bin/curl --fail --max-time 300 --silent --output /dev/null "${NETDATA_CERT_TEST_URL}"
+
+ case "$?" in
+ 35|77) echo "Failed to load certificate files for test." ; return 1 ;;
+ 60|82|83) echo "Certificates cannot be used to connect to ${NETDATA_CERT_TEST_URL}" ; return 1 ;;
+ 53|54|66) echo "Unable to use OpenSSL configuration associated with certificates" ; return 1 ;;
+ 0) echo "Successfully connected to ${NETDATA_CERT_TEST_URL} using certificates" ;;
+ *) echo "Unable to test certificates due to networking problems, blindly assuming they work" ;;
+ esac
+}
+
+# If the user has manually set up certificates, don’t mess with it.
if [ ! -L /opt/netdata/etc/ssl ] && [ -d /opt/netdata/etc/ssl ] ; then
echo "Preserving existing user configuration for TLS"
else
- if [ -d /etc/pki/tls ] ; then
- echo "Using /etc/pki/tls for TLS configuration and certificates"
- ln -sf /etc/pki/tls /opt/netdata/etc/ssl
- elif [ -d /etc/ssl ] ; then
- echo "Using /etc/ssl for TLS configuration and certificates"
- ln -sf /etc/ssl /opt/netdata/etc/ssl
- else
- echo "Using bundled TLS configuration and certificates"
- ln -sf /opt/netdata/share/ssl /opt/netdata/etc/ssl
- fi
+ echo "Configure TLS certificate paths (mode: ${NETDATA_CERT_MODE})"
+ case "${NETDATA_CERT_MODE}" in
+ check)
+ select_system_certs "Testing"
+ if certs_selected && test_certs; then
+ select_system_certs "Using"
+ else
+ select_internal_certs
+ fi
+ ;;
+ bundled) select_internal_certs ;;
+ *)
+ select_system_certs "Using"
+ if ! certs_selected; then
+ select_internal_certs
+ fi
+ ;;
+ esac
fi
# -----------------------------------------------------------------------------
echo "Save install options"
grep -qv 'IS_NETDATA_STATIC_BINARY="yes"' "${NETDATA_PREFIX}/etc/netdata/.environment" || echo IS_NETDATA_STATIC_BINARY=\"yes\" >> "${NETDATA_PREFIX}/etc/netdata/.environment"
+REINSTALL_OPTIONS="$(echo "${REINSTALL_OPTIONS}" | awk '{gsub("/", "\\/"); print}')"
sed -i "s/REINSTALL_OPTIONS=\".*\"/REINSTALL_OPTIONS=\"${REINSTALL_OPTIONS}\"/" "${NETDATA_PREFIX}/etc/netdata/.environment"
# -----------------------------------------------------------------------------