Updating TLS/SSL certifications with CLI#

Anaconda strongly recommends updating your TLS/SSL certificates using the admin console.

Preparing for the update#

Anaconda recommends gathering the following information and files before you proceed. If you are using the admin console, place your files in a location where you can view them to copy their contents into the applicable fields within the UI. If you are updating your certificates using the command line, you’ll need to copy your files to the server.

Most installations will need the following items:
  • The fully qualified domain name (FQDN) of the server

  • The public SSL certificate for the domain: tls.crt

  • The private SSL key for the domain: tls.key

  • If applicable, the intermediate certificate bundle: intermediate.pem

  • If your certificate was issued by a private root CA, the public certificate for that CA: rootca.crt

If you are using LetsEncrypt, your filenames will be different:
  • The public SSL certificate for the domain: cert.pem

  • The private SSL key for the domain: privkey.pem

  • The intermediate certificate bundle: chain.pem

  • No root CA file is needed in this case.

If you are using a different domain and/or SSL certificate for the session/deployment subdomains, you also need:
  • The wildcard subdomain FQDN

  • The public SSL certificate for the wildcard subdomain: wildcard.crt

  • The private SSL key for the wildcard subdomain: wildcard.key

Note

Workbench assumes that the intermediate certificate and root CA (if applicable) are identical for both certificates.

Finally, if you intend to use the command-line approach to updating the certificates, you will need a copy of the the latest set of publicly trusted root certificates. A copy of this file, current to when the Workbench installer package was built, can be found at DIY-SSL-CA/CA/pubCA.crt in your unpacked installer assets.

To update your TLS/SSL certificates using the command line:

  1. Log in to the master node and verify that the files mentioned above are present.

  2. Download the latest version of the root CA trust file by running the following command:

    curl -OL https://curl.se/ca/cacert.pem
    
  3. If you have a private root CA (rootca.crt), append it to the cacert.pem file you just downloaded by running the following command:

    cat rootca.crt >> cacert.pem
    
  4. If you have an intermediate bundle, combine it with your main public certificate by running the following commands:

    Note

    If you are using LetsEncrypt, skip this step. fullchain.pem is provided for you.

    cat tls.crt intermediate.pem > fullchain.pem
    cat wildcard.crt intermediate.pem > fullchain_wildcard.pem
    
  5. Create a file named certificates.yaml, then add the following information to it:

    apiVersion: v1
    kind: Secret
    metadata:
        name: anaconda-enterprise-certs
    type: kubernetes.io/tls
    data:
        tls.crt: TLS_CRT
        tls.key: TLS_KEY
        rootca.crt: ROOT_CA
    ---
    apiVersion: v1
    kind: Secret
    metadata:
        name: anaconda-enterprise-wildcard
    type: kubernetes.io/tls
    data:
        tls.crt: WILDCARD_CRT
        tls.key: WILDCARD_KEY
    

    Note

    The certificates.yaml file provides your TLS/SSL certificate and key to access the kubernetes cluster using variable placeholders to keep the certificates secure.

  6. Save your work and close the file.

  7. Set the values for the variable placeholders in the certificates.yaml file with an encoded version of the actual certificate and key by running the following commands:

    Choose the commands that match your environment setup:

    TLS_CRT=$(base64 -i --wrap=0 tls.crt)
    TLS_KEY=$(base64 -i --wrap=0 tls.key)
    ROOT_CA=$(base64 -i --wrap=0 cacert.pem)
    echo "s@TLS_CRT@$TLS_CRT@;" "s@TLS_KEY@$TLS_KEY@;" "s@WILDCARD_CRT@$TLS_CRT@;" "s@WILDCARD_KEY@$TLS_KEY@;" "s@ROOT_CA@$ROOT_CA@" | sed -i.bak -f - certificates.yaml
    
    TLS_CRT=$(base64 -i --wrap=0 fullchain.pem)
    TLS_KEY=$(base64 -i --wrap=0 tls.key)
    ROOT_CA=$(base64 -i --wrap=0 cacert.pem)
    echo "s@TLS_CRT@$TLS_CRT@;" "s@TLS_KEY@$TLS_KEY@;" "s@WILDCARD_CRT@$TLS_CRT@;" "s@WILDCARD_KEY@$TLS_KEY@;" "s@ROOT_CA@$ROOT_CA@" | sed -i.bak -f - certificates.yaml
    
    TLS_CRT=$(base64 -i --wrap=0 fullchain.pem)
    TLS_KEY=$(base64 -i --wrap=0 privkey.pem)
    ROOT_CA=$(base64 -i --wrap=0 cacert.pem)
    echo "s@TLS_CRT@$TLS_CRT@;" "s@TLS_KEY@$TLS_KEY@;" "s@WILDCARD_CRT@$TLS_CRT@;" "s@WILDCARD_KEY@$TLS_KEY@;" "s@ROOT_CA@$ROOT_CA@" | sed -i.bak -f - certificates.yaml
    
    TLS_CRT=$(base64 -i --wrap=0 fullchain.pem)
    TLS_KEY=$(base64 -i --wrap=0 tls.key)
    WILDCARD_CRT=$(base64 -i --wrap=0 fullchain_wildcard.pem)
    WILDCARD_KEY=$(base64 -i --wrap=0 wildcard.key)
    ROOT_CA=$(base64 -i --wrap=0 cacert.pem)
    echo "s@TLS_CRT@$TLS_CRT@;" "s@TLS_KEY@$TLS_KEY@;" "s@WILDCARD_CRT@$WILDCARD_CRT@;" "s@WILDCARD_KEY@$WILDCARD_KEY@;" "s@ROOT_CA@$ROOT_CA@" | sed -i.bak -f - certificates.yaml
    
  8. Verify that your certificates.yaml file now contains the correct certificate and key by running the following command:

    grep -E 'TLS_(CRT|KEY)' certificates.yaml
    

    Note

    • If the command returns nothing, your certificates.yaml file has been successfully created.

    • If the command returns a message, re-verify the file name and its contents are correct, then run the command again.

  9. Run the following command to create a backup of your existing secret:

    # Replace <NAMESPACE> with your Workbench cluster namespace
    kubectl get secret -n <NAMESPACE> anaconda-enterprise-certs anaconda-enterprise-wildcard -o yaml --export > certificates.orig
    
  10. Remove the existing secrets, then recreate them from the new file by running the following commands:

    kubectl delete secret -n <NAMESPACE> anaconda-enterprise-certs anaconda-enterprise-wildcard
    kubectl create -n <NAMESPACE> -f certificates.yaml
    
  11. Restart all Workbench system pods by running the following command:

    # Replace <NAMESPACE> with your Workbench cluster namespace
    kubectl delete -n <NAMESPACE> --wait=false $(kubectl get pods -o name|grep ap-)
    

If you are using Gravity, you will need to perform the following additional steps:

  1. Create a file named gravity-certificates.yaml, then add the following information to it:

    apiVersion: v1
    kind: Secret
    metadata:
        name: cluster-tls
    type: Opaque
    data:
        certificate: TLS_CRT
        privatekey: TLS_KEY
    

    Note

    The gravity-certificates.yaml file provides your TLS/SSL certificate and key to access the kubernetes cluster using variable placeholders to keep the certificates secure.

  2. Save your work and close the file.

  3. Set values for the variable placeholders in the gravity-certificates.yaml file with encoded versions of the actual certificate and key by running the following commands:

    TLS_CRT=$(base64 -i --wrap=0 fullchain.pem)
    TLS_KEY=$(base64 -i --wrap=0 tls.key)
    echo "s@TLS_CRT@$TLS_CRT@;" "s@TLS_KEY@$TLS_KEY@" | sed -i.bak -f - gravity-certificates.yaml
    
  4. (Optional) If you have a separate set of certificates for the ops-center domain, set the values for the variable placeholders with encoded versions of the certificate and key by running the following commands:

    TLS_CRT=$(base64 -i --wrap=0 fullchain_opscenter.pem)
    TLS_KEY=$(base64 -i --wrap=0 opscenter.key)
    echo "s@TLS_CRT@$TLS_CRT@;" "s@TLS_KEY@$TLS_KEY@" | sed -i.bak -f - gravity-certificates.yaml
    
  5. Verify that your gravity-certificates.yaml file now contains the correct certificate and key by running the following command:

    grep -E 'TLS_(CRT|KEY)' gravity-certificates.yaml
    

    Note

    • If the command returns nothing, your gravity-certificates.yaml file has been successfully created.

    • If the command returns a message, re-verify the file name and its contents are correct, then run the command again.

  6. Run the following command to create a backup of your existing secret:

    kubectl get secret -n kube-system cluster-tls -o yaml --export > gravity-certificates.orig
    
  7. Remove the existing secrets by running the following command:

    kubectl delete secret -n kube-system cluster-tls
    
  8. Create new secrets using the gravity-certificates.yaml file you created by running the following command:

    kubectl create -n kube-system -f gravity-certificates.yaml