Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Switch user to root

    • Code Block
      su root
  2. Run the following command to create the CSR request config file

    • Code Block
      nano /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf
    • copy the following content and replace servername.example.com with the Fully Qualified Domain Name of the server and sample@sample.com with an email address.

    • Code Block
      [req]
      distinguished_name  = req_distinguished_name
      req_extensions = v3_req
      [ req_distinguished_name ]
      emailAddress      = sample@sample.com
      [ v3_req ]
      basicConstraints = CA:FALSE
      keyUsage = nonRepudiation, digitalSignature, keyEncipherment
      subjectAltName = @alt_names
      [alt_names]
      DNS.1 = servername.example.com
  3. Run the following command to generate the CSR

    • Command Syntax

      • Code Block
        openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${FUNCTION}/CN=${FQDN}" \
         -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:somepassword -sha512 -newkey rsa:4096
    • All of the following need to be replaced

      • ${COUNTRY}

      • ${STATE}

      • ${LOCATION}

      • ${ORGANIZATION}

      • ${FUNCTION}

      • ${FQDN}

    • Example

      • Code Block
        openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=AU/ST=NSW/L=SYDNEY/O=yarnlab/OU=lab/CN=yarnman.test.yarnlab.io" \
         -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:yarnman -sha512 -newkey rsa:4096
  4. Collect CSR for signing

    1. Option 1- SFTP download from /var/opt/yarnlab/upgrade/

      1. cp /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr /var/opt/yarnlab/yarnman/upgrade/yarnman-ssl.csr

    2. Option 2 - copy content from your ssh terminal to obtain the base64 text

      1. cat /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr

  5. Once signed certificate has been received from CA

    1. Note if the certificate has intermediate CA, Extra steps will be required detailed in the step Configuring Intermediate CA Certificates

  6. rename/move existing SSL public certificate

    • Code Block
      mv /var/opt/yarnlab/yarnman/config/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ssl-cert.cert.bk
  7. Update public certificate

    • Option 1
      upload to /tmp from your sftp program, set/validate correct permission and restart yarnman

      • Code Block
        mv /tmp/certname.something /var/opt/yarnlab/yarnman/config/ssl-cert.cert
        chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca/ssl-cert.cert
        chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert
        systemctl restart yarnman
    • Option 2
      use nano to paste the contents of the base64 certificate

      • Code Block
        nano /var/opt/yarnlab/yarnman/config/ssl-cert.cert
        chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ssl-cert.cert
        chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert
        systemctl restart yarnman
Verification

Verify the certificate is valid with openssl commandcontents of CSR

Code Block
openssl x509req -text -noout -textverify -in /var/opt/yarnlab/yarnman/config/yarnman-ssl-cert.cert

Certificate.csr 

Certificate request self-signature verify OK
Certificate Request:
    Data:
        Version: 31 (0x20x0)
        Subject: SerialC Number:= AU, ST = NSW, O = yarnlab, OU = yarnlab, CN  2c:00:00:00:28:d4:5a:73:57:37:04:7f:f1:00:00:00:00:00:28
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = io, DC = yarnlab, DC = lab, CN = lab-WIN-CA= test.tm999.yarnlan.

Verify the certificate is valid with openssl command

Code Block
openssl x509 -noout -text -in /var/opt/yarnlab/yarnman/config/ssl-cert.cert

Certificate:
    Data:
        Version: 3 (0x2)
        Serial ValidityNumber:
            Not Before: Jan 10 02:35:41 2023 GMT2c:00:00:00:28:d4:5a:73:57:37:04:7f:f1:00:00:00:00:00:28
        Signature Algorithm: sha256WithRSAEncryption
      Not After Issuer: JanDC = 9 02:35:41 2025 GMT
        Subject: C = AU, ST = NSW, L = SYDNEY, O = yarnlab, OU = lab, CN = yarnman-2.test.yarnlab.io
Lots more cert output...

Configuring Intermediate CA Certificates

Typical format for standard SSL.

io, DC = yarnlab, DC = lab, CN = lab-WIN-CA
        Validity
            Not Before: Jan 10 02:35:41 2023 GMT
            Not After : Jan  9 02:35:41 2025 GMT
        Subject: C = AU, ST = NSW, L = SYDNEY, O = yarnlab, OU = lab, CN = yarnman-2.test.yarnlab.io
Lots more cert output...

Configuring Intermediate CA Certificates

Typical format for standard SSL.

/var/opt/yarnlab/yarnman/config/

ssl-cert.cert - Standard certificate sent to clients

ssl-key.pem - Private key file for checking response

In order to enable intermediate certificates we must create new directory of ca in in /var/opt/yarnlab/yarnman/config/

Code Block
mkdir /var/opt/yarnlab/yarnman/config/ca

add files in order of the cert chain so the files in the directory look like

Code Block
ls -lh /var/opt/yarnlab/yarnman/config/ca
1-name.crt
2-name.crt
3-name.crt

The /ca folder contains the intermediate certificates that will be loaded in order. The easiest way to achieve this is to use the naming conventions 1-, 2- etc. Each certificate must end in .crt in order to be loaded.

Once the folder is created and at least one certificate is added in the format indicated the services on the node must be restarted.

File permissions should be as follow

Code Block
root@yarnman-2 [ /var/home/yarnman ]# ls -lh /var/opt/yarnlab/yarnman/config

...

ssl-cert.cert - Standard certificate sent to clients

ssl-key.pem - Private key file for checking response

In order to enable intermediate certificates we must create new directory of ca in in /var/opt/yarnlab/yarnman/config/

Code Block
mkdir
total 60K
drwxr-xr-x 2 ym-yarnman-app ym-yarnman-app-gp 4.0K Jan 10 05:31 ca

root@yarnman-2 [ /var/home/yarnman ]# ls -lh /var/opt/yarnlab/yarnman/config/ca

add files in order of the cert chain so the files in the directory look like

Code Block
ls -lh/1-name.crt 
-rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 1.3K Jan 10 05:31 /var/opt/yarnlab/yarnman/config/ca
/1-name.crt
2-name.crt
3-name.crt

The /ca folder contains the intermediate certificates that will be loaded in order. The easiest way to achieve this is to use the naming conventions 1-, 2- etc. Each certificate must end in .crt in order to be loaded.

Once the folder is created and at least one certificate is added in the format indicated the services on the node must be restarted.

File permissions should be as follow

Code Block
root@yarnman-2 [ /var/home/yarnman ]# ls -lh

If required to change the owner and group

Code Block
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca
total 60K
drwxr-xr-x 2 chown ym-yarnman-app :ym-yarnman-app-gp 4.0K Jan 10 05:31 ca

root@yarnman-2 [ /var/home/yarnman ]# ls -lh/var/opt/yarnlab/yarnman/config/ca/*.crt 

If required to change the permissions

Code Block
chmod 755 /var/opt/yarnlab/yarnman/config/ca
chmod 644 /var/opt/yarnlab/yarnman/config/ca/1-name*.crt 
-rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 1.3K Jan 10 05:31 

restart yarnman

Code Block
systemctl restart yarnman
Verification
Code Block
root@yarnman-2 [ /var/opt/yarnlab/yarnman/config/ca/1-name.crt

If required to change the owner and group

Code Block
chown ym-yarnman-app:ym-yarnman-app-gp ]# openssl verify -CAfile /var/opt/yarnlab/yarnman/config/ca
chown ym-yarnman-app:ym-yarnman-app-gp/1-labca.crt /var/opt/yarnlab/yarnman/config/ca/*.crt 

If required to change the permissions

Code Block
chmod 755ssl-cert.cert 
/var/opt/yarnlab/yarnman/config/ca
chmod 644ssl-cert.cert: OK

If you have multiple intermediates

Code Block
cat /var/opt/yarnlab/yarnman/config/ca/*.crt

restart yarnman

Code Block
systemctl restart yarnman
Verification
Code Block
root@yarnman-2 [ /var/opt/yarnlab/yarnman/config/ca ]# > /tmp/tempca.pem
openssl verify -verbose -CAfile /tmp/tempca.pem ssl-cert.cert
ssl-cert.cert: OK

openssl verify -show_chain -CAfile /tmp/tempca.pem /var/opt/yarnlab/yarnman/config/ca/1ssl-labcacert.crtcert
/var/opt/yarnlab/yarnman/config/ssl-cert.cert 
/var/opt/yarnlab/yarnman/config/ssl-cert.cert: OK

If you have multiple intermediates

Code Block
cat /var/opt/yarnlab/yarnman/config/ca/*.crt > /tmp/tempca.pem
openssl verify -verbose -CAfile /tmp/tempca.pem ssl-cert.cert
ssl-cert.cert: OK
cert.cert: OK
Chain:
depth=0: CN = something.example.com (untrusted)
depth=1: C = US, O = Let's Encrypt, CN = R3
depth=2: C = US, O = Internet Security Research Group, CN = ISRG Root X1

Photon iptables

In order to have perstitant firewall rules for docker containers, we need to populate the DOCKER-USER table, this is processed by iptables before traffic hits the host, hence we can’t apply the firewall rules directly on INPUT table (used by eth0)

...