Updating TLS/SSL certificates¶
You can replace the self-signed certificates generated as part of the initial post-install configuration at any time.
Before you begin, follow the processes outlined below. Then you can update the Anaconda Enterprise platform to use your own certificates using the Anaconda Enterprise Admin Console or the command line.
Before you begin:
- Ask all users to save their work, stop any sessions and deployments, and log out of the platform while you update the certificates.
- Backup your current Anaconda Enterprise configuration following the backup process.
- Gather all of the following information and files related to your certificates, so you have it available to copy and paste from in the procedure that follows:
- Registered domain name for the server
- SSL certificate for
- SSL private key for
- Root SSL certificate (such as this default Root CA), named
rootca.crt. A root certificate is optional but recommended.
- Intermediate SSL certificate chain/bundle, named
intermediate.pem(This certificate may also appear as the second entry in your
- Wildcard domain name
- Wildcard certificate for
- Wildcard private key for
- After you’ve gathered all the information above, follow the steps below that correspond to whether you will use the Admin console or the command line to update the Anaconda Enterprise platform to use your certificates.
To update the platform using the Admin console:
- Log in to Anaconda Enterprise, select the Menu icon in the top right corner and click the Administrative Console link displayed at the bottom of the slide out window.
- Log in to the console using the Administrator credentials configured after installation.
- Select Web Certificates from either the top-level menu or the slide out menu.
- Copy and paste the certificate and key information from the files you gathered previously into the appropriate fields.
- Click Save to update the platform with your changes.
The default SSL certificate file names generated by the installer vary slightly between versions. If you have upgraded from a previous version of Anaconda Enterprise, you may need to update your configuration to make sure all services are referencing the correct SSL certificate filenames (see below).
keystore.jks filename remains unchanged.
To update the platform using the command line:
On the system where the certificate and private key reside:
openjdk. For example, use the following command to install
java-1.8.0-openjdkon CentOS 7.5:
yum install java-1.8.0-openjdk -y
Run the following command to create the
keystore.jksfile that will be used by Java:
openssl pkcs12 -passout pass:anaconda -export -in CERT.PEM -inkey KEY.PEM -out certificate.p12 -name auth keytool -importkeystore -deststorepass anaconda -destkeypass anaconda -destkeystore keystore.jks -srckeystore certificate.p12 -srcstoretype PKCS12 -srcstorepass anaconda -alias auth
If you’re using a certificate provided by Let’s Encrypt, use
FULLCHAIN.PEM instead of
Create an updated Root CA to use with the system:
cat ROOT.CA /etc/ssl/certs/ca-bundle.trust.crt > updated-trust-ca.crt
If you’re using a certificate provided by Let’s Encrypt your can obtain the Root CA here.
You must also prepend the
CHAIN.PEM to the Root CA.
For RHEL-based systems, the path to the trusted CA is:
For Ubuntu-based systems, the path the system CA is
Setup the basic structure of the
certificates.yamlfile, that you’ll be updating in the next several steps:
cat > certificates.yaml <<EOL apiVersion: v1 kind: Secret metadata: name: anaconda-enterprise-certs type: Opaque data: EOL
Add the main domain for the SSL certificate. For example
printf " tls.crt: " >> certificates.yaml base64 -i --wrap=0 CERT.PEM >> certificates.yaml
Add the private key for the certificate:
printf "\n tls.key: " >> certificates.yaml base64 -i --wrap=0 KEY.PEM >> certificates.yaml
Add the SAN certificate to the file. For example
printf "\n wildcard.crt: " >> certificates.yaml base64 -i --wrap=0 CERT.PEM >> certificates.yaml
Add the private key for the SAN certificate:
printf "\n wildcard.key: " >> certificates.yaml base64 -i --wrap=0 KEY.PEM >> certificates.yaml
Add the keystore you generated in Step 2:
printf "\n keystore.jks: " >> certificates.yaml base64 -i --wrap=0 keystore.jks >> certificates.yaml
Add the updated Root CA that you created in Step 3:
printf "\n rootca.crt: " >> certificates.yaml base64 -i --wrap=0 updated-trust-ca.crt >> certificates.yaml
Add a new line at the end of the file:
printf '\n' >> certificates.yaml
Copy the file to the share directory inside gravity:
cp certificates.yaml /var/lib/gravity/planet/share
Run the following commands to enter gravity and list your secrets:
gravity enter kubectl get secrets
In the next step you’ll be removing and recreating a secret, so create a backup of the existing secrets first:
kubectl get secret anaconda-enterprise-certs -o yaml --export > anaconda_certs.backup
Remove the existing secret, and recreate it from the file you placed in the share directory (in Step 12):
kubectl delete secret anaconda-enterprise-certs kubectl create -f /ext/share/certificates.yaml
Restart all pods to update Anaconda Enterprise to use your certificate:
kubectl get pods | cut -d' ' -f1 | xargs kubectl delete pods