...
Switch user to root
Code Block su root
Run the following command to create the CSR request config file
Code Block nano /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf
copy the following content and replace servername.example.com with the Fully Qualified Domain Name of the server and sample@sample.com with an email address.
Code Block [req] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] emailAddress = sample@sample.com [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = servername.example.com
Run the following command to generate the CSR
Command Syntax
Code Block openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${FUNCTION}/CN=${FQDN}" \ -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:somepassword -sha512 -newkey rsa:4096
All of the following need to be replaced
${COUNTRY}
${STATE}
${LOCATION}
${ORGANIZATION}
${FUNCTION}
${FQDN}
Example
Code Block openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=AU/ST=NSW/L=SYDNEY/O=yarnlab/OU=lab/CN=yarnman.test.yarnlab.io" \ -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:yarnman -sha512 -newkey rsa:4096
Collect CSR for signing
Option 1- SFTP download from /var/opt/yarnlab/upgrade/
cp /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr /var/opt/yarnlab/yarnman/upgrade/yarnman-ssl.csr
Option 2 - copy content from your ssh terminal to obtain the base64 text
cat /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr
Once signed certificate has been received from CA
Note if the certificate has intermediate CA, Extra steps will be required detailed in the step Configuring Intermediate CA Certificates
rename/move existing SSL public certificate
Code Block mv /var/opt/yarnlab/yarnman/config/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ssl-cert.cert.bk
Update public certificate
Option 1
upload to /tmp from your sftp program, set/validate correct permission and restart yarnmanCode Block mv /tmp/certname.something /var/opt/yarnlab/yarnman/config/ssl-cert.cert chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca/ssl-cert.cert chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert systemctl restart yarnman
Option 2
use nano to paste the contents of the base64 certificateCode Block nano /var/opt/yarnlab/yarnman/config/ssl-cert.cert chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ssl-cert.cert chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert systemctl restart yarnman
Verification
Verify the certificate is valid with openssl commandcontents of CSR
Code Block |
---|
openssl x509req -text -noout -textverify -in /var/opt/yarnlab/yarnman/config/yarnman-ssl-cert.cert Certificate.csr Certificate request self-signature verify OK Certificate Request: Data: Version: 31 (0x20x0) Subject: SerialC Number:= AU, ST = NSW, O = yarnlab, OU = yarnlab, CN 2c:00:00:00:28:d4:5a:73:57:37:04:7f:f1:00:00:00:00:00:28 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = io, DC = yarnlab, DC = lab, CN = lab-WIN-CA= test.tm999.yarnlan. |
Verify the certificate is valid with openssl command
Code Block |
---|
openssl x509 -noout -text -in /var/opt/yarnlab/yarnman/config/ssl-cert.cert Certificate: Data: Version: 3 (0x2) Serial ValidityNumber: Not Before: Jan 10 02:35:41 2023 GMT2c:00:00:00:28:d4:5a:73:57:37:04:7f:f1:00:00:00:00:00:28 Signature Algorithm: sha256WithRSAEncryption Not After Issuer: JanDC = 9 02:35:41 2025 GMT Subject: C = AU, ST = NSW, L = SYDNEY, O = yarnlab, OU = lab, CN = yarnman-2.test.yarnlab.io Lots more cert output... |
Configuring Intermediate CA Certificates
Typical format for standard SSL.
io, DC = yarnlab, DC = lab, CN = lab-WIN-CA
Validity
Not Before: Jan 10 02:35:41 2023 GMT
Not After : Jan 9 02:35:41 2025 GMT
Subject: C = AU, ST = NSW, L = SYDNEY, O = yarnlab, OU = lab, CN = yarnman-2.test.yarnlab.io
Lots more cert output... |
Configuring Intermediate CA Certificates
Typical format for standard SSL.
/var/opt/yarnlab/yarnman/config/
ssl-cert.cert - Standard certificate sent to clients
ssl-key.pem - Private key file for checking response
In order to enable intermediate certificates we must create new directory of ca in in /var/opt/yarnlab/yarnman/config/
Code Block |
---|
mkdir /var/opt/yarnlab/yarnman/config/ca |
add files in order of the cert chain so the files in the directory look like
Code Block |
---|
ls -lh /var/opt/yarnlab/yarnman/config/ca
1-name.crt
2-name.crt
3-name.crt |
The /ca folder contains the intermediate certificates that will be loaded in order. The easiest way to achieve this is to use the naming conventions 1-, 2- etc. Each certificate must end in .crt in order to be loaded.
Once the folder is created and at least one certificate is added in the format indicated the services on the node must be restarted.
File permissions should be as follow
Code Block |
---|
root@yarnman-2 [ /var/home/yarnman ]# ls -lh /var/opt/yarnlab/yarnman/config |
...
ssl-cert.cert - Standard certificate sent to clients
ssl-key.pem - Private key file for checking response
In order to enable intermediate certificates we must create new directory of ca in in /var/opt/yarnlab/yarnman/config/
Code Block |
---|
mkdir total 60K drwxr-xr-x 2 ym-yarnman-app ym-yarnman-app-gp 4.0K Jan 10 05:31 ca root@yarnman-2 [ /var/home/yarnman ]# ls -lh /var/opt/yarnlab/yarnman/config/ca |
add files in order of the cert chain so the files in the directory look like
Code Block |
---|
ls -lh/1-name.crt -rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 1.3K Jan 10 05:31 /var/opt/yarnlab/yarnman/config/ca /1-name.crt 2-name.crt 3-name.crt |
The /ca folder contains the intermediate certificates that will be loaded in order. The easiest way to achieve this is to use the naming conventions 1-, 2- etc. Each certificate must end in .crt in order to be loaded.
Once the folder is created and at least one certificate is added in the format indicated the services on the node must be restarted.
File permissions should be as follow
Code Block |
---|
root@yarnman-2 [ /var/home/yarnman ]# ls -lh |
If required to change the owner and group
Code Block |
---|
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca total 60K drwxr-xr-x 2 chown ym-yarnman-app :ym-yarnman-app-gp 4.0K Jan 10 05:31 ca root@yarnman-2 [ /var/home/yarnman ]# ls -lh/var/opt/yarnlab/yarnman/config/ca/*.crt |
If required to change the permissions
Code Block |
---|
chmod 755 /var/opt/yarnlab/yarnman/config/ca chmod 644 /var/opt/yarnlab/yarnman/config/ca/1-name*.crt -rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 1.3K Jan 10 05:31 |
restart yarnman
Code Block |
---|
systemctl restart yarnman |
Verification
Code Block |
---|
root@yarnman-2 [ /var/opt/yarnlab/yarnman/config/ca/1-name.crt |
If required to change the owner and group
Code Block |
---|
chown ym-yarnman-app:ym-yarnman-app-gp ]# openssl verify -CAfile /var/opt/yarnlab/yarnman/config/ca chown ym-yarnman-app:ym-yarnman-app-gp/1-labca.crt /var/opt/yarnlab/yarnman/config/ca/*.crt |
If required to change the permissions
Code Block |
---|
chmod 755ssl-cert.cert /var/opt/yarnlab/yarnman/config/ca chmod 644ssl-cert.cert: OK |
If you have multiple intermediates
Code Block |
---|
cat /var/opt/yarnlab/yarnman/config/ca/*.crt |
restart yarnman
Code Block |
---|
systemctl restart yarnman |
Verification
Code Block |
---|
root@yarnman-2 [ /var/opt/yarnlab/yarnman/config/ca ]# > /tmp/tempca.pem openssl verify -verbose -CAfile /tmp/tempca.pem ssl-cert.cert ssl-cert.cert: OK openssl verify -show_chain -CAfile /tmp/tempca.pem /var/opt/yarnlab/yarnman/config/ca/1ssl-labcacert.crtcert /var/opt/yarnlab/yarnman/config/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ssl-cert.cert: OK |
If you have multiple intermediates
Code Block |
---|
cat /var/opt/yarnlab/yarnman/config/ca/*.crt > /tmp/tempca.pem openssl verify -verbose -CAfile /tmp/tempca.pem ssl-cert.cert ssl-cert.cert: OK cert.cert: OK Chain: depth=0: CN = something.example.com (untrusted) depth=1: C = US, O = Let's Encrypt, CN = R3 depth=2: C = US, O = Internet Security Research Group, CN = ISRG Root X1 |
Photon iptables
In order to have perstitant firewall rules for docker containers, we need to populate the DOCKER-USER table, this is processed by iptables before traffic hits the host, hence we can’t apply the firewall rules directly on INPUT table (used by eth0)
...