Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Switch user to root

    • Code Block
      su root
  2. Run the following command to create the CSR request config file

    • Code Block
      nano /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf
    • copy the following content and replace <FQDN>with servername.example.com with the Fully Qualified Domain Name of the server and <EmailAddress> sample@sample.com with an email address.

    • Code Block
      [req]
      distinguished_name  = req_distinguished_name
      req_extensions = v3_req
      [ req_distinguished_name ]
      emailAddress      = <EmailAddress>sample@sample.com
      [ v3_req ]
      basicConstraints = CA:FALSE
      keyUsage = nonRepudiation, digitalSignature, keyEncipherment
      subjectAltName = @alt_names
      [alt_names]
      DNS.1 = <FQDN>servername.example.com
  3. Run the following command to generate the CSR

    • Command Syntax

      • Code Block
        openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${FUNCTION}/CN=${FQDN}" \
         -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:somepassword -sha512 -newkey rsa:4096
    • All of the following need to be replaced

      • ${COUNTRY}

      • ${STATE}

      • ${LOCATION}

      • ${ORGANIZATION}

      • ${FUNCTION}

      • ${FQDN}

    • Example

      • Code Block
        openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=AU/ST=NSW/L=SYDNEY/O=yarnlab/OU=lab/CN=yarnman.test.yarnlab.io" \
         -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:yarnman -sha512 -newkey rsa:4096
  4. Collect CSR for signing

    1. Option 1- SFTP download from /var/opt/yarnlab/upgrade/

      1. cp /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr /var/opt/yarnlab/yarnman/upgrade/yarnman-ssl.csr

    2. Option 2 - copy content from your ssh terminal to obtain the base64 text

      1. cat /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr

  5. Once signed certificate has been received from CA

    1. Note if the certificate has intermediate CA, Extra steps will be required detailed in the step Configuring Intermediate CA Certificates

  6. rename/move existing SSL public certificate

    • Code Block
      mv /var/opt/yarnlab/yarnman/config/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ssl-cert.cert.bk
  7. Update public certificate

    • Option 1
      upload to /tmp from your sftp program, set/validate correct permission and restart yarnman

      • Code Block
        mv /tmp/certname.something /var/opt/yarnlab/yarnman/config/ssl-cert.cert
        chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca/ssl-cert.cert
        chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert
        systemctl restart yarnman
    • Option 2
      use nano to paste the contents of the base64 certificate

      • Code Block
        nano /var/opt/yarnlab/yarnman/config/ssl-cert.cert
        chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ssl-cert.cert
        chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert
        systemctl restart yarnman
Verification

Verify contents of CSR

Code Block
Verifyopenssl the certficate is valid
openssl x509req -text -noout -textverify -in /var/opt/yarnlab/yarnman/config/yarnman-ssl-cert.cert
Certificate.csr 

Certificate request self-signature verify OK
Certificate Request:
    Data:
        Version: 31 (0x20x0)
        Serial NumberSubject: C = AU, ST = NSW, O = yarnlab, OU = yarnlab,  2c:00:00:00:28:d4:5a:73:57:37:04:7f:f1:00:00:00:00:00:28
        Signature Algorithm: sha256WithRSAEncryptionCN = test.tm999.yarnlan.

Verify the certificate is valid with openssl command

Code Block
openssl x509 -noout -text -in /var/opt/yarnlab/yarnman/config/ssl-cert.cert

Certificate:
    Data:
         IssuerVersion: DC3 =(0x2)
io, DC        Serial Number:
            2c:00:00:00:28:d4:5a:73:57:37:04:7f:f1:00:00:00:00:00:28
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = io, DC = yarnlab, DC = lab, CN = lab-WIN-J2LOLHCUKRC-CA
        Validity
            Not Before: Jan 10 02:35:41 2023 GMT
            Not After : Jan  9 02:35:41 2025 GMT
        Subject: C = AU, ST = NSW, L = SYDNEY, O = yarnlab, OU = lab, CN = yarnman-2.test.yarnlab.io
Lots more cert output...

...

Code Block
mkdir /var/opt/yarnlab/yarnman/config/ca

    1-name.crt
    2-name.crt
    3-name.crt
Code Block
add files in order of the cert chain so the files in the directory look like

add files in order of the cert chain so the files in the directory look like

Code Block
ls -lh /var/opt/yarnlab/yarnman/config/ca
1-name.crt
2-name.crt
3-name.crt

...

Code Block
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca/*.crt 

...

Code Block
systemctl restart yarnman
Verification
Code Block
root@yarnman-2 [ /var/opt/yarnlab/yarnman/config/ca ]# openssl verify -CAfile /var/opt/yarnlab/yarnman/config/ca/1-labca.crt /var/opt/yarnlab/yarnman/config/ssl-cert.cert 
/var/opt/yarnlab/yarnman/config/ssl-cert.cert: OK

If you have multiple intermediates

Code Block
cat /var/opt/yarnlab/yarnman/config/ca/*.crt > /tmp/tempca.pem
openssl verify -verbose -CAfile /tmp/tempca.pem ssl-cert.cert
ssl-cert.cert: OK

openssl verify -show_chain -CAfile /tmp/tempca.pem /var/opt/yarnlab/yarnman/config/ssl-cert.cert
/var/opt/yarnlab/yarnman/config/ssl-cert.cert: OK
Chain:
depth=0: CN = something.example.com (untrusted)
depth=1: C = US, O = Let's Encrypt, CN = R3
depth=2: C = US, O = Internet Security Research Group, CN = ISRG Root X1

Photon iptables

In order to have perstitant firewall rules for docker containers, we need to populate the DOCKER-USER table, this is processed by iptables before traffic hits the host, hence we can’t apply the firewall rules directly on INPUT table (used by eth0)

...