Versions Compared

Old Version 6

changes.mady.by.user Glen Steedman

Saved on

compared with

New Version Current

changes.mady.by.user Glen Steedman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This is a manual proces until

Jira Legacy
serverSystem JIRAJira
serverIdd1de7fd4-f9b1-3177-8dc3-3ee678680322
keyYMN-4962

...

  1. Switch user to root

    • Code Block
      su root

  2. Run the following command to create the CSR request config file

    • Code Block
      nano /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf

    • add copy the following contenst content and replace <FQDN>with servername.example.com with the Fully Quailifed Qualified Domain Name of the server and sample@sample.com with an email address.

    • Code Block
      [req]
distinguished_name  = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
emailAddress      = Email Address (emailAddress_max    = 64)
sample@sample.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = <FQDN>servername.example.com

  3. Run the following command to generate the CSR

    • Command Syntax

      • Code Block
        openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${FUNCTION}/CN=${FQDN}" \
 -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:somepassword -sha512 -newkey rsa:4096

    • All of the following need to be replaced

      • ${COUNTRY}

      • ${STATE}

      • ${LOCATION}

      • ${ORGANIZATION}

      • ${FUNCTION}

      • ${FQDN}

    • Example

      • Code Block
        openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=AU/ST=NSW/L=SYDNEY/O=yarnlab/OU=lab/CN=yarnman.test.yarnlab.io" \
 -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:somepasswordyarnman -sha512 -newkey rsa:4096

  4. Collect CSR for signing

    1. Option 1- SFTP download from /var/opt/yarnlab/upgrade/

      1. cp /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr /var/opt/yarnlab/yarnman/upgrade/yarnman-ssl.csr

    2. Option 2 - copy content to new file yarnman-ssl.cnffrom your ssh terminal to obtain the base64 text

      1. cat /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr

  5. Once signed certificate has been received from CA

    1. Review Note if the certificate has intermediate CA siging and follow process below

    Backup

    1. , Extra steps will be required detailed in the step Configuring Intermediate CA Certificates

  6. rename/move existing SSL public certificate

    • Code Block
      cpmv /var/opt/yarnlab/yarnman/config/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ssl-cert.cert.bk
    • Code Block
      cat /var/opt/yarnlab/yarnman/config/ssl-cert.cert

    Update public certificatge

  7. Option

    Update public certificate

    • Option 1
      upload to /

    var/opt/yarnlab/yarnman/upgrade/ssl-cert.cert Code Blockrm

    • tmp from your sftp program, set/validate correct permission and restart yarnman

      • Code Block
        mv /tmp/certname.something /var/opt/yarnlab/yarnman/config/ssl-cert.cert
    mv
      • 
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/
    upgrade
      • config/ssl-cert.cert
chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert
systemctl restart yarnman

    • Option 2
      use nano to paste the contents of the base64 certificate

      • Code Block
        nano /var/opt/yarnlab/yarnman/config/ssl-cert.cert
    • Code Block
      systemctl restart yarnman
Verification
Code Block
PENDING openssl verification commands

Configuring Intermediate CA Certificates

Typical format for standard SSL.

      • 
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/

...

      • ssl-cert.cert

...

ssl-key.pem - Private key file for checking response

...

      • 
chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert
systemctl restart yarnman
Verification

Verify contents of CSR

Code Block
openssl req -text -noout -verify -in /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr 

Certificate request  /caself-signature verify OK
Certificate Request:
    Data:
        Version: 1-name.crt (0x0)
     2-name.crt   Subject: C 3-name.crt

The /ca folder contains the intermediate certificates that will be loaded in order. The easiest way to achieve this is to use the naming conventions 1-, 2- etc. Each certificate must end in .crt in order to be loaded.

Once the folder is created and at least one certificate is added in the format indicated the services on the node must be restarted.

File permissions should be as follow

Code Block
root@yarnman-2 [ /var/home/yarnman ]# ls -lh /var/opt/yarnlab/yarnman/config
total 60K
drwxr-xr-x 2 ym-yarnman-app ym-yarnman-app-gp 4.0K Jan 10 05:31 ca

root@yarnman-2 [ /var/home/yarnman ]# ls -lh /var/opt/yarnlab/yarnman/config/ca/1-name.crt 
-rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 1.3K Jan 10 05:31 /var/opt/yarnlab/yarnman/config/ca/1-name.crt

If required to change the owner and group

Code Block
chown ym-yarnman-app /var/opt/yarnlab/yarnman/config/ca
chown ym-yarnman-app /var/opt/yarnlab= AU, ST = NSW, O = yarnlab, OU = yarnlab, CN = test.tm999.yarnlan.

Verify the certificate is valid with openssl command

Code Block
openssl x509 -noout -text -in /var/opt/yarnlab/yarnman/config/ssl-cert.cert

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2c:00:00:00:28:d4:5a:73:57:37:04:7f:f1:00:00:00:00:00:28
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = io, DC = yarnlab, DC = lab, CN = lab-WIN-CA
        Validity
            Not Before: Jan 10 02:35:41 2023 GMT
            Not After : Jan  9 02:35:41 2025 GMT
        Subject: C = AU, ST = NSW, L = SYDNEY, O = yarnlab, OU = lab, CN = yarnman-2.test.yarnlab.io
Lots more cert output...

Configuring Intermediate CA Certificates

Typical format for standard SSL.

/var/opt/yarnlab/yarnman/config/

ssl-cert.cert - Standard certificate sent to clients

ssl-key.pem - Private key file for checking response

In order to enable intermediate certificates we must create new directory of ca in in /var/opt/yarnlab/yarnman/config/

Code Block
mkdir /var/opt/yarnlab/yarnman/config/ca

add files in order of the cert chain so the files in the directory look like

Code Block
ls -lh /var/opt/yarnlab/yarnman/config/ca
1-name.crt
2-name.crt
3-name.crt

The /ca folder contains the intermediate certificates that will be loaded in order. The easiest way to achieve this is to use the naming conventions 1-, 2- etc. Each certificate must end in .crt in order to be loaded.

Once the folder is created and at least one certificate is added in the format indicated the services on the node must be restarted.

File permissions should be as follow

Code Block
root@yarnman-2 [ /var/home/yarnman ]# ls -lh /var/opt/yarnlab/yarnman/config
total 60K
drwxr-xr-x 2 ym-yarnman-app ym-yarnman-app-gp 4.0K Jan 10 05:31 ca

root@yarnman-2 [ /var/home/yarnman ]# ls -lh /var/opt/yarnlab/yarnman/config/ca/1-name.crt 
-rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 1.3K Jan 10 05:31 /var/opt/yarnlab/yarnman/config/ca/1-name.crt

If required to change the owner and group

Code Block
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca/*.crt

If required to change the permissions

Code Block
chmod 755 /var/opt/yarnlab/yarnman/config/ca
chmod 644 /var/opt/yarnlab/yarnman/config/ca/*.crt

restart yarnman

Code Block
systemctl restart yarnman
Verification
Code Block
root@yarnman-2 [ /var/opt/yarnlab/yarnman/config/ca ]# openssl verify -CAfile /var/opt/yarnlab/yarnman/config/ca/1-labca.crt /var/opt/yarnlab/yarnman/config/ssl-cert.cert 
/var/opt/yarnlab/yarnman/config/ssl-cert.cert: OK

If you have multiple intermediates

Code Block
cat /var/opt/yarnlab/yarnman/config/ca/*.crt

If required to change the permissions

Code Block
chmod 755 > /tmp/tempca.pem
openssl verify -verbose -CAfile /tmp/tempca.pem ssl-cert.cert
ssl-cert.cert: OK

openssl verify -show_chain -CAfile /tmp/tempca.pem /var/opt/yarnlab/yarnman/config/ca
chmod 644ssl-cert.cert
/var/opt/yarnlab/yarnman/config/ca/*.crtssl-cert.cert: OK
Chain:
depth=0: CN = something.example.com (untrusted)
depth=1: C = US, O = Let's Encrypt, CN = R3
depth=2: C = US, O = Internet Security Research Group, CN = ISRG Root X1

Photon iptables

In order to have perstitant firewall rules for docker containers, we need to populate the DOCKER-USER table, this is processed by iptables before traffic hits the host, hence we can’t apply the firewall rules directly on INPUT table (used by eth0)

...