Versions Compared

Old Version 7

changes.mady.by.user Mats Age

Saved on

compared with

New Version 8

changes.mady.by.user Glen Steedman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Switch user to root

    • Code Block
      su root

  2. Run the following command to create the CSR request config file

    • Code Block
      nano /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf

    • add copy the following contenst content and replace <FQDN>with the Fully Quailifed Qualified Domain Name of the server and <EmailAddress>

    • Code Block
      [req]
distinguished_name  = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
emailAddress      = Email Address (emailAddress_max    = 64)
<EmailAddress>
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = <FQDN>

  3. Run the following command to generate the CSR

    • Command Syntax

      • Code Block
        openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${FUNCTION}/CN=${FQDN}" \
 -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:somepassword -sha512 -newkey rsa:4096

    • All of the following need to be replaced

      • ${COUNTRY}

      • ${STATE}

      • ${LOCATION}

      • ${ORGANIZATION}

      • ${FUNCTION}

      • ${FQDN

    • Example

      • Code Block
        openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=AU/ST=NSW/L=SYDNEY/O=yarnlab/OU=lab/CN=yarnman.test.yarnlab.io" \
 -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:somepasswordyarnman -sha512 -newkey rsa:4096

  4. Collect CSR for signing

    1. Option 1- SFTP download from /var/opt/yarnlab/upgrade/

      1. cp /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr /var/opt/yarnlab/yarnman/upgrade/yarnman-ssl.csr

    2. Option 2 - copy content to new file yarnman-ssl.cnffrom your ssh terminal to obtain the base64 text

      1. cat /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr

  5. Once signed certificate has been received from CA

    1. Review Note if the certificate has intermediate CA signing and follow process below

    Backup

    1. CA, Extra steps will be required detailed in the step Configuring Intermediate CA Certificates

  6. rename/move existing SSL public certificate

    • code
      Code Block
      cpmv /var/opt/yarnlab/yarnman/config/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ssl-cert.cert.bk
      cat /var/opt/yarnlab/yarnman/config/ssl-cert.cert
  7. Update public certificate 
    • Option 1 
      upload to /var/opt/yarnlab/yarnman/upgrade/ssl-cert.cert
       Code Blockrm
      tmp from your sftp program, set/validate correct permission and restart yarnman
      •  Code Block
        mv /tmp/certname.something /var/opt/yarnlab/yarnman/config/ssl-cert.cert
mv
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/upgradeca/ssl-cert.cert
chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert
systemctl restart yarnman
    • Option 2 
      use nano to paste the contents of the base64 certificate 
      •  Code Block
        nano /var/opt/yarnlab/yarnman/config/ssl-cert.cert
      •  Code Block
        systemctl
restartchown yarnman
Verification 
...
      • ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ssl-cert.cert
chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert
systemctl restart yarnman
Verification 
 Code Block
Verify the certficate is valid
openssl x509 -noout -text -in /var/opt/yarnlab/yarnman/config/ssl-cert.cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2c:00:00:00:28:d4:5a:73:57:37:04:7f:f1:00:00:00:00:00:28
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = io, DC = yarnlab, DC = lab, CN = lab-WIN-J2LOLHCUKRC-CA
        Validity
            Not Before: Jan 10 02:35:41 2023 GMT
            Not After : Jan  9 02:35:41 2025 GMT
        Subject: C = AU, ST = NSW, L = SYDNEY, O = yarnlab, OU = lab, CN = yarnman-2.test.yarnlab.io
Lots more cert output...
Configuring Intermediate CA Certificates
...
In order to enable intermediate certificates we must create new folder directory of ca in in /var/opt/yarnlab/yarnman/config/
 Code Block
mkdir /var/opt/yarnlab/yarnman/config/ca

 /ca
    1-name.crt
    2-name.crt
    3-name.crt

 Code Block
add files in order of the cert chain so the files in the directory look like
ls -lh /var/opt/yarnlab/yarnman/config/ca
1-name.crt
2-name.crt
3-name.crt
The /ca folder contains the intermediate certificates that will be loaded in order. The easiest way to achieve this is to use the naming conventions 1-, 2- etc. Each certificate must end in .crt in order to be loaded.
...
 Code Block
chmod 755 /var/opt/yarnlab/yarnman/config/ca
chmod 644 /var/opt/yarnlab/yarnman/config/ca/*.crt
restart yarnman
 Code Block
systemctl restart yarnman
Photon iptables
In order to have perstitant firewall rules for docker containers, we need to populate the DOCKER-USER table, this is processed by iptables before traffic hits the host, hence we can’t apply the firewall rules directly on INPUT table (used by eth0)
...