...
With yarn_man Photon additional steps are required for Adding Secondary Local Auth Administration Access
This step requires root access
to switch to root access run the following command “su root” and enter the root password set during installation
Manually edit the following file
nanoEnable the Additional listening port with the ym-edit-config command
Code Block yarnman@yarnman-1 [ ~ ]$ sudo ym-edit-config.sh enable-local-admin-accessYou will be prompted to restart the Yarnman service
Port 3999 is the default alternative port to be used
The following file is modified by the script. Snippet shown for reference
/var/opt/yarnlab/yarnman/docker-compose-override.yml
Code Block version: '3.7' services: yarnman: ports: - "3999:3999" expose: - "3999"Ensure that the top row show version: '3.7'
Create the 2nd Administration application and ensure the port select matches what is set for ports and expose in docker-compose-override.yml
Restart yarnman services
sudo ym-service-commands.sh restart
is 3999 and binding address is 0.0.0.0
You will now be able to access the second administration application on port 3999 using https://<IP address>:3999/
NOTE that http to https redirect will not work on this port and https:// must be entered
It is suggested to use in private browser or similar as the authentication sessions will conflict with LDAP users and the older session will close
Enable database access for Replication
| Info |
|---|
This step must be performed to enable couchdb clustering on every node |
...
This step requires root access
to switch to root access run the following command “su root” and enter the root password set during installation
Manually edit the following file
...
Enable the listening port for couchdb for replication
Code Block sudo ym-edit-config.sh enable-local-couchdb-accessYou will be prompted to restart the yarnman service
Port 6984 will be used
The following file is modified by the script. Snippet shown for reference
/var/opt/yarnlab/yarnman/docker-compose-override.yml
Code Block version: '3.7' services: couchdb: ports: - "6984:6984"
Ensure that the top row show version: '3.7'
NOTE : If you already have an existing services inOptionally access to couchdb can be restricted to IP addresses using iptables
Changing private key default passphrase
This step requires root access
to switch to root access run the following command “su root” and enter the root password set during installation
If the encryption at rest process has been run previously the private key must be decrypted
If the key is not encrypted skip the decryption step
to verify run the following command If no file is found that means the key is encrypted
This step requires root access
to switch to root access run the following command “su root” and enter the root password set during installation
If the encryption at rest process has been run previously the private key must be decrypted
If the key is not encrypted skip the decryption step
to verify run the following command If no file is found that means the key is encrypted
to verify the key is encrypted
dockerCode Block ls -la /var/opt/yarnlab/yarnman/config/
composeprivate-
override.yml add another services line, below shows 2 services in the fileencryption-
NOTE!! Make sure the spaces are exactly as below in the yml fike, else docker may not start …
Code Block version: '3.7' services: yarnman: ports: - "3999:3999" expose: - "3999" couchdb: ports: - "6984:6984"
Code Block ls -la /var/opt/yarnlab/yarnman/config/private-encryption-key.pem ls: cannot access '/var/opt/yarnlab/yarnman/config/private-encryption-key.pem': No such file or directory
Restart yarnman services
Code Block sudo ym-service-commands.sh restart restarting yarnman.service ● yarnman.service - yarnman Loaded: loaded (/usr/lib/systemd/system/yarnman.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2022-11-14 04:23:53 UTC; 9ms ago Process: 56653 ExecStartPre=/usr/bin/docker-compose -f docker-compose.yml down (code=exited, status=0/SUCCESS) Main PID: 56663 (docker-compose) Tasks: 5 (limit: 4694) Memory: 7.1M CGroup: /system.slice/yarnman.service └─56663 /usr/bin/docker-compose -f docker-compose.yml -f docker-compose-override.yml up --remove-orphans Nov 14 04:23:53 ym-ph-test systemd[1]: Starting yarnman... Nov 14 04:23:53 ym-ph-test docker-compose[56653]: yarnman Warning: No resource found to remove Nov 14 04:23:53 ym-ph-test systemd[1]: Started yarnman.
Optionally access to couchdb can be restricted to IP addresses
Changing private key default passphrase
Code Block ls -la /var/opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe -rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 8129 Nov 14 03:40key.pem ls: cannot access '/var/opt/yarnlab/yarnman/config/private-encryption-key.pem': No such file or directory
to verify the key is encrypted
Code Block ls -la /var/opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe -rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 8129 Nov 14 03:40 /var/opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe
Switch into docker container by running the following command - Note that the prompt changes from the root to container shell
Code Block docker exec -it ym-yarnman /bin/bash ym-yarnman-app@yl-ym-yarnman:/opt/yarnlab/yarnman$
to decrypt the key run the following command
Code Block clevis decrypt < /opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe > /opt/yarnlab/yarnman/config/private-encryption-key.pem
reset permissions
chmod 600 /opt/yarnlab/yarnman/config/private-encryption-key.pem
change passphrase from default “yarnman”
Code Block ssh-keygen -p -f /opt/yarnlab/yarnman/config/private-encryption-key.pem Enter old passphrase: Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.
backup old key
Code Block mv /opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe /opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe.bk
exit the container shell
Code Block exit exit root@ym-ph-test [ /var/opt/yarnlab/ ]#verify the key is decrypted and ensure the that
Code Block ls -la /var/opt/yarnlab/yarnman/config/private-encryption-key.pem -rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 3326 Nov 20 20:21 /var/opt/yarnlab/yarnman/config/private-encryption-key.pem
add new passphrase to /var/opt/yarnlab/yarnman/config/local.yaml
Code Block encryption: dbPassphrase: 'somepassword'TO update
yq -i '.encryption.dbPassphrase = "somepassword"' /var/opt/yarnlab/yarnman/config/local.yaml
encrypt passphrase
Code Block docker exec ym-yarnman node ./scripts/encrypt-local-config.js -k encryption.dbPassphrase 1668977064139 INFO Starting the encryption of 1 local configuration fields through Clevis Shamir Secret Sharing 1668977064142 INFO Attempting to encrypt the following local config fields: encryption.dbPassphrase 1668977064371 INFO Local key 'encryption.dbPassphrase' encrypted successfully 1668977064371 INFO 1 local config fields encrypted, 0 fields omittedverify
Code Block cat cat /var/opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe
local.yaml
re encrypt keys
Code Block docker exec -it ym-yarnman node ./bin/bash ym-yarnman-app@yl-ym-yarnman:/opt/yarnlab/yarnman$
to decrypt the key run the following command
Code Block clevis decrypt < /opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe > /opt/yarnlab/yarnman/config/private-encryption-key.pem
reset permissions
chmod 600 /opt/yarnlab/yarnman/config/private-encryption-key.pem
change passphrase from default “yarnman”
Code Block ssh-keygen -p -f /opt/yarnlab/yarnman/config/private-encryption-key.pem Enter old passphrase: Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.
backup old key
Code Block mv /opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe /opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe.bk
exit the container shell
Code Block exit exit root@ym-ph-test [ /var/opt/yarnlab/ ]#verify the key is decrypted and ensure the that
Code Block ls -la /var/opt/yarnlab/yarnman/config/private-encryption-key.pem -rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 3326 Nov 20 20:21 /var/opt/yarnlab/yarnman/config/private-encryption-key.pem
add new passphrase to /var/opt/yarnlab/yarnman/config/local.yaml
Code Block encryption: dbPassphrase: 'Clouduc123'TO update
yq -i '.encryption.dbPassphrase = "Clouduc123"' /var/opt/yarnlab/yarnman/config/local.yaml
encrypt passphrase
Code Block docker exec ym-yarnman node ./scripts/encrypt-local-config.js -k encryption.dbPassphrase 1668977064139 INFO Starting the encryption of 1 local configuration fields through Clevis Shamir Secret Sharing 1668977064142 INFO Attempting to encrypt the following local config fields: encryption.dbPassphrase 1668977064371 INFO Localscripts/encrypt-keys.js 1668977138519 INFO Encrypting private and SSL keys using settings: 1668977138521 INFO - not overwriting existing encrypted files and not deleting any original files after encryption 1668977138522 INFO -------------------------------- 1668977138522 INFO Encrypting... 1668977138768 INFO - 'private-encryption-key.pem' encrypted successfully 1668977138768 INFO - 'ssl-key.pem' already encrypted, not overwriting 1668977138768 INFO -------------------------------- 1668977138768 INFO Finished encrypting the files
restart services
Yarnman HTTP Certificate Notes
This is a manual proces until
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
Generate CSR
Switch user to root
Code Block su root
Run the following command to create the CSR request config file
Code Block systemctl restart yarnmanverify while services are restarting look for
Code Block docker logs ym-yarnman -f 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206414 INFO Decrypting 1 encrypted configuration keys 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206415 INFO Decrypting configuration key 'encryption.dbPassphrase' 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206500 INFO Configuration key 'encryption.dbPassphrase'
decrypted successfully
verify
Code Block cat cat /var/opt/yarnlab/yarnman/config/local.yaml
re encrypt keys
Code Block docker exec ym-yarnman node ./scripts/encrypt-keys.js 1668977138519 INFO Encrypting private and SSL keys using settings: 1668977138521 INFO - not overwriting existing encrypted files and not deleting any original files after encryption 1668977138522 INFO -------------------------------- 1668977138522 INFO Encrypting... 1668977138768 INFO - 'private-encryption-key.pem' encrypted successfully 1668977138768 INFO - 'ssl-key.pem' already encrypted, not overwriting 1668977138768 INFO -------------------------------- 1668977138768 INFO Finished encrypting the files
restart services
Code Block systemctl restart yarnmanverify while services are restarting look for
Code Block docker logs ym-yarnman -f 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206414 INFO Decrypting 1 encrypted configuration keys 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206415 INFO Decrypting configuration key 'encryption.dbPassphrase' 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206500 INFO Configuration key 'encryption.dbPassphrase' decrypted successfully 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206500 INFO Finished decrypting 1 configuration keys
Setup Couchdb Replication
Its recommended to have completed the the Yarngate LDAP configuration with at least 1 role configured before completing replication on additional nodes for the first time time setup. Refer to Yarngate Service Setup for more information
...
login to yarnman administration application web interface
...
Navigate to Authentication database
Rename the Default Authentication Database name from “Central DB” to “<Node Name> Central DB” or other suitably unique name
...
Navigate to Authentication Policies
Rename the Default Authentication Policy name from “Central DB-Only Policy” to “<Node Name> Central DB-Only Policy” or other suitably unique name
...
Navigate to Nodes and select the Standalone node
...
Update the yarnman node name
...
Navigate to Nodes , select the node you wanted to setup and click on the Replication tab
...
Click on Add Replication
Enter the source and target connection strings
Source Address Syntax https://10.222.1.4:6984 - NOTE that the default source address is 10.222.1.4
Source address: https://10.222.1.4:6984
Source username: architect
source password: yarnman
Remote address Syntax https://<TargetIP>:6984
Target address https://10.101.10.10:6984
Target username: architect
Target password: yarnman
Once replication is setup status can be reviewed by clicking on the replication address, eg https://10.101.10.10:6984 . If the replication shows blank, the Sync button can be pressed to kick off replication again.
...
Repeat for each pair of nodes to achieve a full mesh
If there are 2 datacenters repeat for each primary node in each data centre -
2 node - 2 replications
n1->n2
n2->n1
3 node - 6 replications
n1->n2
n1->n3
n2->n1
n2->n3
n3->n1
n3->n2
4 node - 12 replications
n1->n2
n1->n3
n1->n4
n2->n1
n2->n3
n2->n4
n3->n1
n3->n2
n3->n4
n4->n1
n4->n2
n4->n3
...
if you have any issues with replications in state failing run the following command and review the log messages
Code Block 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206500 INFO Finished decrypting 1 configuration keys
Setup Couchdb Replication
Its recommended to have completed the the Yarngate LDAP configuration with at least 1 role configured before completing replication on additional nodes for the first time time setup. Refer to Yarngate Service Setup for more information
login to yarnman administration application web interface
Navigate to Authentication database
Rename the Default Authentication Database name from “Central DB” to “<Node Name> Central DB” or other suitably unique name
Navigate to Authentication Policies
Rename the Default Authentication Policy name from “Central DB-Only Policy” to “<Node Name> Central DB-Only Policy” or other suitably unique name
Navigate to Nodes and select the Standalone node
Update the yarnman node name
Navigate to Nodes , select the node you wanted to setup and click on the Replication tab
Click on Add Replication
Enter the source and target connection strings
Source Address Syntax https://10.222.1.4:6984 - NOTE that the default source address is 10.222.1.4
Source address: https://10.222.1.4:6984
Source username: architect
source password: somepassword
Remote address Syntax https://<TargetIP>:6984
Target address https://10.101.10.10:6984
Target username: architect
Target password: somepassword
Once replication is setup status can be reviewed by clicking on the replication address, eg https://10.101.10.10:6984 . If the replication shows blank, the Sync button can be pressed to kick off replication again.
Repeat for each pair of nodes to achieve a full mesh
If there are 2 datacenters repeat for each primary node in each data centre -
2 node - 2 replications
n1->n2
n2->n1
3 node - 6 replications
n1->n2
n1->n3
n2->n1
n2->n3
n3->n1
n3->n2
4 node - 12 replications
n1->n2
n1->n3
n1->n4
n2->n1
n2->n3
n2->n4
n3->n1
n3->n2
n3->n4
n4->n1
n4->n2
n4->n3
Yarnman HTTP Certificate Notes
This is a manual proces until
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
Generate CSR
Switch user to root
Code Block su root
Run the following command to create the CSR request config file
Code Block nano /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnfcopy the following content and replace servername.example.com with the Fully Qualified Domain Name of the server and sample@sample.com with an email address.
Code Block [req] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] emailAddress = sample@sample.com [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = servername.example.com
Run the following command to generate the CSR
Command Syntax
Code Block openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${FUNCTION}/CN=${FQDN}" \ -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:somepassword -sha512 -newkey rsa:4096
All of the following need to be replaced
${COUNTRY}
${STATE}
${LOCATION}
${ORGANIZATION}
${FUNCTION}
${FQDN}
Example
Code Block openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=AU/ST=NSW/L=SYDNEY/O=yarnlab/OU=lab/CN=yarnman.test.yarnlab.io" \ -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:yarnman -sha512 -newkey rsa:4096
Collect CSR for signing
Option 1- SFTP download from /var/opt/yarnlab/upgrade/
cp /var/opt/yarnlab/yarnman/config/yarnman-ssl.
add copy the following contenst and replace <FQDN>with the Fully Quailifed Domain Name of the server
Code Block [req] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] emailAddress = Email Address (emailAddress_max = 64) [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = <FQDN>csr /var/opt/yarnlab/yarnman/upgrade/yarnman-ssl.csr
Option 2 - copy content from your ssh terminal to obtain the base64 text
cat /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr
Once signed certificate has been received from CA
Note if the certificate has intermediate CA, Extra steps will be required detailed in the step Configuring Intermediate CA Certificates
rename/move existing SSL public certificate
Code Block mv /var/opt/yarnlab/yarnman/config/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ssl-cert.cert.bk
Update public certificate
Option 1
upload to /tmp from your sftp program, set/validate correct permission and restart yarnmanCode Block mv /tmp/certname.something /var/opt/yarnlab/yarnman/config/ssl-cert.cert chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ssl-cert.cert chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert systemctl restart yarnman
Option 2
use nano to paste the contents of the base64 certificateCode Block nano /var/opt/yarnlab/yarnman/config/ssl-cert.cert chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/yarnmanssl-sslcert.cnfcert -new -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${FUNCTION}/CN=${FQDN}" \ -outchmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert systemctl restart yarnman-ssl.csr -key
Run the following command to generate the CSR
Command Syntax
Verification
Verify contents of CSR
| Code Block |
|---|
openssl req -text -noout -verify -in /var/opt/yarnlab/yarnman/config/yarnman-ssl |
...
. |
...
csr |
...
|
...
All of the following need to be replaced
${COUNTRY}
${STATE}
${LOCATION}
${ORGANIZATION}
${FUNCTION}
${FQDN
Example
...
Certificate request self-signature verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = AU, ST = NSW, O = yarnlab, OU = yarnlab, CN = test.tm999.yarnlan. |
Verify the certificate is valid with openssl command
| Code Block |
|---|
openssl x509 -noout -text -in /var/opt/yarnlab/yarnman/config/ssl- |
...
cert. |
...
Collect CSR for signing
Option 1- SFTP download from /var/opt/yarnlab/upgrade/
cp /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr /var/opt/yarnlab/yarnman/upgrade/yarnman-ssl.csr
Option 2 - copy content to new file yarnman-ssl.cnf
cat /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr
...
Once signed certificate has been received from CA
Review if certificate has intermediate CA siging and follow process below
...
Backup existing SSL public certificate
Code Block cp /var/opt/yarnlab/yarnman/config/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ssl-cert.cert.bkCode Block cat /var/opt/yarnlab/yarnman/config/ssl-cert.cert
Update public certificatge
Option 1
...
cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2c:00:00:00:28:d4:5a:73:57:37:04:7f:f1:00:00:00:00:00:28
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = io, DC = yarnlab, DC = lab, CN = lab-WIN-CA
Validity
Not Before: Jan 10 02:35:41 2023 GMT
Not After : Jan 9 02:35:41 2025 GMT
Subject: C = AU, ST = NSW, L = SYDNEY, O = yarnlab, OU = lab, CN = yarnman-2.test.yarnlab.io
Lots more cert output... |
Configuring Intermediate CA Certificates
Typical format for standard SSL.
/var/opt/yarnlab/yarnman/
...
config/
ssl-cert.cert
...
- Standard certificate sent to clients
ssl-key.pem - Private key file for checking response
In order to enable intermediate certificates we must create new directory of ca in in /var/opt/yarnlab/yarnman/
...
config/
| Code Block |
|---|
mkdir /var/opt/yarnlab/yarnman/config/ |
...
ca |
add files in order of the cert chain so the files in the directory look like
| Code Block |
|---|
ls -lh /var/opt/yarnlab/yarnman/config |
...
Code Block systemctl restart yarnman
Verification
| Code Block |
|---|
PENDING openssl verification commands |
Configuring Intermediate CA Certificates
Typical format for standard SSL.
/ca
1-name.crt
2-name.crt
3-name.crt |
The /ca folder contains the intermediate certificates that will be loaded in order. The easiest way to achieve this is to use the naming conventions 1-, 2- etc. Each certificate must end in .crt in order to be loaded.
Once the folder is created and at least one certificate is added in the format indicated the services on the node must be restarted.
File permissions should be as follow
| Code Block |
|---|
root@yarnman-2 [ /var/home/yarnman ]# ls -lh /var/opt/yarnlab/yarnman/config |
...
ssl-cert.cert - Standard certificate sent to clients
ssl-key.pem - Private key file for checking response
In order to enable intermediate certificates we must create new folder in /var/opt/yarnlab/yarnman/config/
| Code Block |
|---|
total 60K drwxr-xr-x 2 ym-yarnman-app ym-yarnman-app-gp 4.0K Jan 10 05:31 ca root@yarnman-2 [ /var/home/yarnman ]# ls -lh /var/opt/yarnlab/yarnman/config/ /ca ca/1-name.crt -rw-r--r-- 1 2-name.crt 3-name.crt |
The /ca folder contains the intermediate certificates that will be loaded in order. The easiest way to achieve this is to use the naming conventions 1-, 2- etc. Each certificate must end in .crt in order to be loaded.
Once the folder is created and at least one certificate is added in the format indicated the services on the node must be restarted.
File permissions should be as follow
| Code Block |
|---|
root@yarnman-2 [ /var/home/yarnman ]# ls -lhym-yarnman-app ym-yarnman-app-gp 1.3K Jan 10 05:31 /var/opt/yarnlab/yarnman/config/ca/1-name.crt |
If required to change the owner and group
| Code Block |
|---|
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config total 60K drwxr-xr-x 2 /ca chown ym-yarnman-app :ym-yarnman-app-gp 4.0K Jan 10 05:31 ca /var/opt/yarnlab/yarnman/config/ca/*.crt |
If required to change the permissions
| Code Block |
|---|
chmod 755 /var/opt/yarnlab/yarnman/config/ca
chmod 644 /var/opt/yarnlab/yarnman/config/ca/*.crt |
restart yarnman
| Code Block |
|---|
systemctl restart yarnman |
Verification
| Code Block |
|---|
root@yarnman-2 [ /var/opt/homeyarnlab/yarnman/config/ca ]# openssl lsverify -lhCAfile /var/opt/yarnlab/yarnman/config/ca/1-namelabca.crt -rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 1.3K Jan 10 05:31/var/opt/yarnlab/yarnman/config/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ca/1ssl-name.crt |
...
cert.cert: OK |
If you have multiple intermediates
| Code Block |
|---|
chown ym-yarnman-app cat /var/opt/yarnlab/yarnman/config/ca chown ym-yarnman-app /var/opt/yarnlab/yarnman/config/ca/*.crt |
If required to change the permissions
| Code Block |
|---|
chmod 755 /*.crt > /tmp/tempca.pem openssl verify -verbose -CAfile /tmp/tempca.pem ssl-cert.cert ssl-cert.cert: OK openssl verify -show_chain -CAfile /tmp/tempca.pem /var/opt/yarnlab/yarnman/config/ca chmod 644ssl-cert.cert /var/opt/yarnlab/yarnman/config/ca/*.crtssl-cert.cert: OK Chain: depth=0: CN = something.example.com (untrusted) depth=1: C = US, O = Let's Encrypt, CN = R3 depth=2: C = US, O = Internet Security Research Group, CN = ISRG Root X1 |
Photon iptables
In order to have perstitant firewall rules for docker containers, we need to populate the DOCKER-USER table, this is processed by iptables before traffic hits the host, hence we can’t apply the firewall rules directly on INPUT table (used by eth0)
...