Updating TLS/SSL certifications with CLI#
Anaconda strongly recommends updating your TLS/SSL certificates using the admin console.
Preparing for the update#
Anaconda recommends gathering the following information and files before you proceed. If you are using the admin console, place your files in a location where you can view them to copy their contents into the applicable fields within the UI. If you are updating your certificates using the command line, you’ll need to copy your files to the server.
- Most installations will need the following items:
The fully qualified domain name (FQDN) of the server
The public SSL certificate for the domain:
tls.crt
The private SSL key for the domain:
tls.key
If applicable, the intermediate certificate bundle:
intermediate.pem
If your certificate was issued by a private root CA, the public certificate for that CA:
rootca.crt
- If you are using LetsEncrypt, your filenames will be different:
The public SSL certificate for the domain:
cert.pem
The private SSL key for the domain:
privkey.pem
The intermediate certificate bundle:
chain.pem
No root CA file is needed in this case.
- If you are using a different domain and/or SSL certificate for the session/deployment subdomains, you also need:
The wildcard subdomain FQDN
The public SSL certificate for the wildcard subdomain:
wildcard.crt
The private SSL key for the wildcard subdomain:
wildcard.key
Note
Workbench assumes that the intermediate certificate and root CA (if applicable) are identical for both certificates.
Finally, if you intend to use the command-line approach to updating the certificates, you will need a copy of the the latest set of publicly trusted root certificates. A copy of this file, current to when the Workbench installer package was built, can be found at DIY-SSL-CA/CA/pubCA.crt
in your unpacked installer assets.
To update your TLS/SSL certificates using the command line:
Log in to the master node and verify that the files mentioned above are present.
Download the latest version of the root CA trust file by running the following command:
curl -OL https://curl.se/ca/cacert.pem
If you have a private root CA (
rootca.crt
), append it to thecacert.pem
file you just downloaded by running the following command:cat rootca.crt >> cacert.pem
If you have an intermediate bundle, combine it with your main public certificate by running the following commands:
Note
If you are using LetsEncrypt, skip this step.
fullchain.pem
is provided for you.cat tls.crt intermediate.pem > fullchain.pem cat wildcard.crt intermediate.pem > fullchain_wildcard.pem
Create a file named
certificates.yaml
, then add the following information to it:apiVersion: v1 kind: Secret metadata: name: anaconda-enterprise-certs type: kubernetes.io/tls data: tls.crt: TLS_CRT tls.key: TLS_KEY rootca.crt: ROOT_CA --- apiVersion: v1 kind: Secret metadata: name: anaconda-enterprise-wildcard type: kubernetes.io/tls data: tls.crt: WILDCARD_CRT tls.key: WILDCARD_KEY
Note
The
certificates.yaml
file provides your TLS/SSL certificate and key to access the kubernetes cluster using variable placeholders to keep the certificates secure.Save your work and close the file.
Set the values for the variable placeholders in the
certificates.yaml
file with an encoded version of the actual certificate and key by running the following commands:Choose the commands that match your environment setup:
TLS_CRT=$(base64 -i --wrap=0 tls.crt) TLS_KEY=$(base64 -i --wrap=0 tls.key) ROOT_CA=$(base64 -i --wrap=0 cacert.pem) echo "s@TLS_CRT@$TLS_CRT@;" "s@TLS_KEY@$TLS_KEY@;" "s@WILDCARD_CRT@$TLS_CRT@;" "s@WILDCARD_KEY@$TLS_KEY@;" "s@ROOT_CA@$ROOT_CA@" | sed -i.bak -f - certificates.yaml
TLS_CRT=$(base64 -i --wrap=0 fullchain.pem) TLS_KEY=$(base64 -i --wrap=0 tls.key) ROOT_CA=$(base64 -i --wrap=0 cacert.pem) echo "s@TLS_CRT@$TLS_CRT@;" "s@TLS_KEY@$TLS_KEY@;" "s@WILDCARD_CRT@$TLS_CRT@;" "s@WILDCARD_KEY@$TLS_KEY@;" "s@ROOT_CA@$ROOT_CA@" | sed -i.bak -f - certificates.yaml
TLS_CRT=$(base64 -i --wrap=0 fullchain.pem) TLS_KEY=$(base64 -i --wrap=0 privkey.pem) ROOT_CA=$(base64 -i --wrap=0 cacert.pem) echo "s@TLS_CRT@$TLS_CRT@;" "s@TLS_KEY@$TLS_KEY@;" "s@WILDCARD_CRT@$TLS_CRT@;" "s@WILDCARD_KEY@$TLS_KEY@;" "s@ROOT_CA@$ROOT_CA@" | sed -i.bak -f - certificates.yaml
TLS_CRT=$(base64 -i --wrap=0 fullchain.pem) TLS_KEY=$(base64 -i --wrap=0 tls.key) WILDCARD_CRT=$(base64 -i --wrap=0 fullchain_wildcard.pem) WILDCARD_KEY=$(base64 -i --wrap=0 wildcard.key) ROOT_CA=$(base64 -i --wrap=0 cacert.pem) echo "s@TLS_CRT@$TLS_CRT@;" "s@TLS_KEY@$TLS_KEY@;" "s@WILDCARD_CRT@$WILDCARD_CRT@;" "s@WILDCARD_KEY@$WILDCARD_KEY@;" "s@ROOT_CA@$ROOT_CA@" | sed -i.bak -f - certificates.yaml
Verify that your
certificates.yaml
file now contains the correct certificate and key by running the following command:grep -E 'TLS_(CRT|KEY)' certificates.yaml
Note
If the command returns nothing, your
certificates.yaml
file has been successfully created.If the command returns a message, re-verify the file name and its contents are correct, then run the command again.
Run the following command to create a backup of your existing secret:
# Replace <NAMESPACE> with your Workbench cluster namespace kubectl get secret -n <NAMESPACE> anaconda-enterprise-certs anaconda-enterprise-wildcard -o yaml --export > certificates.orig
Remove the existing secrets, then recreate them from the new file by running the following commands:
kubectl delete secret -n <NAMESPACE> anaconda-enterprise-certs anaconda-enterprise-wildcard kubectl create -n <NAMESPACE> -f certificates.yaml
Restart all Workbench system pods by running the following command:
# Replace <NAMESPACE> with your Workbench cluster namespace kubectl delete -n <NAMESPACE> --wait=false $(kubectl get pods -o name|grep ap-)
—
If you are using Gravity, you will need to perform the following additional steps:
Create a file named
gravity-certificates.yaml
, then add the following information to it:apiVersion: v1 kind: Secret metadata: name: cluster-tls type: Opaque data: certificate: TLS_CRT privatekey: TLS_KEY
Note
The
gravity-certificates.yaml
file provides your TLS/SSL certificate and key to access the kubernetes cluster using variable placeholders to keep the certificates secure.Save your work and close the file.
Set values for the variable placeholders in the
gravity-certificates.yaml
file with encoded versions of the actual certificate and key by running the following commands:TLS_CRT=$(base64 -i --wrap=0 fullchain.pem) TLS_KEY=$(base64 -i --wrap=0 tls.key) echo "s@TLS_CRT@$TLS_CRT@;" "s@TLS_KEY@$TLS_KEY@" | sed -i.bak -f - gravity-certificates.yaml
(Optional) If you have a separate set of certificates for the ops-center domain, set the values for the variable placeholders with encoded versions of the certificate and key by running the following commands:
TLS_CRT=$(base64 -i --wrap=0 fullchain_opscenter.pem) TLS_KEY=$(base64 -i --wrap=0 opscenter.key) echo "s@TLS_CRT@$TLS_CRT@;" "s@TLS_KEY@$TLS_KEY@" | sed -i.bak -f - gravity-certificates.yaml
Verify that your
gravity-certificates.yaml
file now contains the correct certificate and key by running the following command:grep -E 'TLS_(CRT|KEY)' gravity-certificates.yaml
Note
If the command returns nothing, your
gravity-certificates.yaml
file has been successfully created.If the command returns a message, re-verify the file name and its contents are correct, then run the command again.
Run the following command to create a backup of your existing secret:
kubectl get secret -n kube-system cluster-tls -o yaml --export > gravity-certificates.orig
Remove the existing secrets by running the following command:
kubectl delete secret -n kube-system cluster-tls
Create new secrets using the
gravity-certificates.yaml
file you created by running the following command:kubectl create -n kube-system -f gravity-certificates.yaml