If an error like the one below happens when attempting to run import_cert.py:
Traceback (most recent call last):
File "./import_cert.py", line 3, in <module>
from cb.core.certificates import HttpsProxy
ImportError: No module named cb.core.certificates
Use this to workaround the error and try executing the script again :
chmod o+x import_cert.py
sed -i.bak 's/\r$//' import_cert.py
sudo ./import_cert.py
Create a new sensor group on the old server specific for the migration
Edit the settings of the new sensor group. Set the Server URL to the new server URL. Do not forget to put the correct sensor communication port for the new server. https://newserver:443
When ready. Move a single test machine into the new sensor group. Verify it has registered and stays connected in the WebUI of the new server
Additional Information
Sensors already connected to the new server will drop offline after the certificate is revoked
Why do I need to revoke the group certificates
Group certs are signed by the cb-client-ca. When you migrate the certs over from another server, your group certs is no longer validly signed by the cb-client-ca being checked against. Nginx will fail with 400's due to them not being valid
import_cert.py
#!/usr/share/cb/virtualenv/bin/python
from cb.core.certificates import HttpsProxy
from cb.utils import Config
from cb.utils.db import db_session_context
from cb.utils import get_utcnow_with_tzinfo
from cb.db.core_models import ServerCert
from cb.utils.cb_ssl import SSLCertAndKey
import argparse
import sys
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-c', '--config', action="store", default="/etc/cb/cb.conf", help="Path to the cb.conf file.")
parser.add_argument('-e', '--execute', action="store_true", default=False,
help="Perform update instead of just a dry run.")
return parser.parse_args(sys.argv[1:])
def print_separator(text):
text = text.split('\n')
length = 20
for line in text:
length = max(len(line), length)
print('-' * length)
def update_cert(config, dry_run=True):
if config.UnifiedViewEnabled:
print("Cannot run on unified view server.")
exit()
with db_session_context(config) as db_session:
proxy = HttpsProxy(config)
keys = proxy.get_default_key_pair()
cert = db_session.query(ServerCert).filter(ServerCert.is_default == True).one()
if not cert:
print("No default certificate found.")
exit()
print("Public Key before update:")
print_separator(cert.x509_cert)
print(cert.x509_cert)
cert.enabled = True
cert.is_default = True
cert.name = "Legacy"
cert.added_time = cert.changed_time = get_utcnow_with_tzinfo()
cert_and_key = SSLCertAndKey.load_from_string(keys.public, keys.private)
cert.x509_cert = keys.public
cert.private_key = keys.private
cert.fingerprint = cert_and_key.fingerprint(as_text=True)
cert.thumbprint = cert_and_key.thumbprint(as_text=True)
cert.subject = cert_and_key.subject(as_text=True)
cert.server_name = ""
cert.not_valid_before = cert_and_key.not_valid_before()
cert.not_valid_after = cert_and_key.not_valid_after()
cert.self_signed = cert_and_key.self_signed()
print("Public Key after update:")
print_separator(cert.x509_cert)
print(cert.x509_cert)
if dry_run:
db_session.rollback()
print("This was a dry run. To commit changes, run with --execute option.")
else:
db_session.commit()
print("Default certificate imported into the database.")
if __name__ == "__main__":
args = get_args()
config = Config()
config.load(args.config)
update_cert(config, not args.execute)