Updating TLS/SSL certificates

You can replace the self-signed certificates generated as part of the initial post-install configuration at any time.

Before you begin, follow the processes outlined below. Then you can update the Anaconda Enterprise platform to use your own certificates using the Anaconda Enterprise Admin Console or the command line.

Before you begin:

  1. Ask all users to save their work, stop any sessions and deployments, and log out of the platform while you update the certificates.

  2. Backup your current Anaconda Enterprise configuration following the backup process.

  3. Gather all of the following information and files related to your certificates, so you have it available to copy and paste from in the procedure that follows:

  • Registered domain name for the server

  • SSL certificate for servername.domain.tld, named tls.crt

  • SSL private key for servername.domain.tld, named tls.key

  • Root SSL certificate (such as this default Root CA), named rootca.crt. A root certificate is optional but recommended.

  • Intermediate SSL certificate chain/bundle, named intermediate.pem (This certificate may also appear as the second entry in your fullchain.pem file.)

  • Wildcard domain name

  • Wildcard certificate for *.servername.domain.tld, named wildcard.crt.

  • Wildcard private key for *.servername.domain.tld, named wildcard.key.

  1. After you’ve gathered all the information above, follow the steps below that correspond to whether you will use the Admin console or the command line to update the Anaconda Enterprise platform to use your certificates.


To update the platform using the Admin console:

  1. Log in to Anaconda Enterprise, select the Menu icon icon in the top right corner and click the Administrative Console link displayed at the bottom of the slide out window.

  1. Log in to the console using the Administrator credentials configured after installation.

  2. Select Web Certificates from either the top-level menu or the slide out menu.

../_images/web-certs.png

  1. Copy and paste the certificate and key information from the files you gathered previously into the appropriate fields.

  2. Click Save to update the platform with your changes.


Note

The default SSL certificate file names generated by the installer vary slightly between versions. If you have upgraded from a previous version of Anaconda Enterprise, you may need to update your configuration to make sure all services are referencing the correct SSL certificate filenames (see below).

Previous

Updated

rootca.pem

rootca.crt

cert.pem

tls.crt

privkey.pem

tls.key

tls.crt

wildcard.crt

tls.key

wildcard.key

Note

The keystore.jks filename remains unchanged.


To update the platform using the command line:

On the system where the certificate and private key reside:

  1. Install openjdk. For example, use the following command to install java-1.8.0-openjdk on CentOS 7.5:

    yum install java-1.8.0-openjdk -y
    
  2. Run the following command to create the keystore.jks file that will be used by Java:

    openssl pkcs12 -passout pass:anaconda -export -in CERT.PEM -inkey KEY.PEM -out certificate.p12 -name auth
    keytool -importkeystore -deststorepass anaconda -destkeypass anaconda -destkeystore keystore.jks -srckeystore certificate.p12 -srcstoretype PKCS12 -srcstorepass anaconda -alias auth
    

Note

If you’re using a certificate provided by Let’s Encrypt, use FULLCHAIN.PEM instead of CERT.PEM.

  1. Create an updated Root CA to use with the system. (You can obtain a Let’s Encrypt Root CA here).

    cat ROOT.CA /etc/ssl/certs/ca-bundle.trust.crt > updated-trust-ca.crt
    

Note

For RHEL-based systems, the path to the trusted CA is: /etc/ssl/certs/ca-bundle.trust.crt. For Ubuntu-based systems, the path to the system CA is /etc/ssl/certs/ca-certificates.crt.

  1. Setup the basic structure of the certificates.yaml file, that you’ll be updating in the next several steps:

    cat > certificates.yaml <<EOL
    apiVersion: v1
    kind: Secret
    metadata:
      name: anaconda-enterprise-certs
    type: Opaque
    data:
    EOL
    
  2. Add the main domain for the SSL certificate. For example test.anaconda.com:

    printf "  tls.crt: " >> certificates.yaml
    base64 -i --wrap=0 CERT.PEM >> certificates.yaml
    
  3. Add the private key for the certificate:

    printf "\n  tls.key: " >> certificates.yaml
    base64 -i --wrap=0 KEY.PEM >> certificates.yaml
    
  4. Add the SAN certificate to the file. For example *.test.anaconda.com:

    printf "\n  wildcard.crt: " >> certificates.yaml
    base64 -i --wrap=0 CERT.PEM >> certificates.yaml
    
  5. Add the private key for the SAN certificate:

    printf "\n  wildcard.key: " >> certificates.yaml
    base64 -i --wrap=0 KEY.PEM >> certificates.yaml
    
  6. Add the keystore you generated in Step 2:

    printf "\n  keystore.jks: " >> certificates.yaml
    base64 -i --wrap=0 keystore.jks >> certificates.yaml
    
  7. Add the updated Root CA that you created in Step 3:

    printf "\n  rootca.crt: " >> certificates.yaml
    base64 -i --wrap=0 updated-trust-ca.crt >> certificates.yaml
    
  8. Add a new line at the end of the file:

    printf '\n' >> certificates.yaml
    
  9. Copy the file to the share directory inside gravity:

    cp certificates.yaml /var/lib/gravity/planet/share
    
  10. Run the following commands to enter gravity and list your secrets:

    gravity enter
    kubectl get secrets
    
  11. In the next step you’ll be removing and recreating a secret, so create a backup of the existing secrets first:

    kubectl get secret anaconda-enterprise-certs -o yaml --export > anaconda_certs.backup
    
  12. Remove the existing secret, and recreate it from the file you placed in the share directory (in Step 12):

    kubectl delete secret anaconda-enterprise-certs
    kubectl create -f /ext/share/certificates.yaml
    
  13. Restart all pods to update Anaconda Enterprise to use your certificate:

    kubectl get pods | cut -d' ' -f1 | xargs kubectl delete pods
    

Extracting TLS/SSL certificates

Run the following command for each certificate file you wish to extract, replacing rootca.crt below with the name of the specific file:

kubectl get secrets anaconda-enterprise-certs -o jsonpath="{.data['rootca\.crt']}" | base64 -d > rootca.crt

The following certificate files are available:

  • rootca.crt: the root certificate authority bundle

  • tls.crt: the SSL certificate for individual services

  • tls.key: the private key for the above certificate

  • wildcard.crt: the SSL certificate for “wildcard” services, such as deployed apps and sessions

  • wildcard.key: the private key for the above certificate

  • keystore.jks: the Java Key Store containing these certificates used by some services

To copy the extracted root certificate and add it to the default RHEL/CentOS or Ubuntu trusted CA bundles, run the following commands:

# On Ubuntu
$ cp rootca.crt /usr/share/ca-certificates
$ update-ca-certificates

# RHEL/CentOS
$ cp rootca.crt /etc/pki/ca-trust/source/anchors/
$ update-ca-trust

Verifying TLS/SSL certificates

If you are using privately signed certificates, extract the rootca, then use openssl to verify the certificates and make sure the final Verify return code is 0:

# On Ubuntu
$ openssl s_client -connect anaconda.example.com:443 -CAfile /etc/ssl/certs/ca-certificates.crt
...
    Verify return code: 0 (ok)

# On RHEL/CentOS
$ openssl s_client -connect anaconda.example.com:443 -CAfile /etc/pki/tls/certs/ca-bundle.crt
...
    Verify return code: 0 (ok)

Configure the certificates for the repository using the following commands:

$ anaconda-enterprise-cli set ssl_verify true

# On Ubuntu
$ anaconda-enterprise-cli config set sites.master.ssl_verify /etc/ssl/certs/ca-certificates.crt

# On RHEL/CentOS
$ anaconda-enterprise-cli config set sites.master.ssl_verify /etc/pki/tls/certs/ca-bundle.crt

Note

The root CA for the self-signed certificates generated as part of the installation is contained in the certificate bundle at /etc/pki/tls/certs/ca-bundle.crt.