How to regenerate the BOSH Director SSL Certificate
search cancel

How to regenerate the BOSH Director SSL Certificate

book

Article ID: 293545

calendar_today

Updated On:

Products

Operations Manager

Issue/Introduction

You may need to Regenerate the BOSH Director SSL Certificate for a variety of reasons. These reasons may include, but are not limited to, the following:

  • Your private key has been compromised, so you need to regenerate a new one to preserve security.
  • Your private key has expired, so you need to create a new one.
  • Your SSL Certificate content has changed. As a result, you now have a new DNS or reserved IP address. This change needs to be reflected in the soon-to-be-generated SSL Certificate.
  • You need to rotate your SSL Certificate or Private key periodically to preserve security.


Environment


Resolution

Follow the instructions below to regenerate the BOSH Director SSL Certificate that is installed with BOSH:

From a terminal window that is SSH'd into the Operations Manager (Ops Manager) VM, perform the following steps:


1. Run, uaac target https://<opsmanagerurl>/uaa to specify your UAA CLI target (Your Operations Manager UAA).

2. Run, uaac token owner get to authenticate your token and get your token so it can be used by UAAC.

3. Enter the following when prompted:
  • Client ID: opsman
  • Client secret: <Leave Blank>
  • User name: <Username to log into OpsManager>
  • Password: <Password to log into OpsManager>

Alternatively, if Ops Manager has been configured with SAML, perform the following:

 
1. Run uaac target https://<opsmanagerurl>/uaa to specify your UAA CLI target (Your Ops Man UAA).

2. Run uaac token sso get to authenticate and get your token from your SSO service so it can be used by the UAAC.

3. Enter the following when prompted:
  • Client ID: opsman
  • Client secret: <Leave Blank>
  • Passcode: <https://<opsmanagerurl>/uaa/passcode>
  • Open the link above with your Ops Manager URL inserted and then, paste the passcode into the terminal.

If successful, you will get a message stating: Successfully fetched token via owner password grant.


After receiving the message above, perform the following steps:
 

1. Run uaac context to display the users and the applications authorized by the UAA server, and the permissions granted to each user and application.

2. Copy the access token listed under the access_tokenforclient_id: opsman.

3. Run  curl "https://opsmanagerurl/api/installation_settings" -X GET -H "Authorization: Bearer <ACCESS_TOKEN>".

4. Copy the content from theGET request into a file and open it for editing. This is easily done by adding > settings.txt at the end of the curl command.

5. director_ssl and delete the whole thing. That section will contain something similar to this:
"director_ssl": { 
      "private_key_pem": "-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----\n", 

"cert_pem": "-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----\n" },
6. After deleting from "director_ssl": to \n-----END CERTIFICATE-----\n" }, Save the file.

7. Run curl "https://opsmanagerurl/api/installation_settings" -X POST -H "Authorization: Bearer <ACCESS_TOKEN>" -F installation[file]=@path/to/file.

8. Be sure to include the so that the curl command picks up the file without the director_ssl.

9. If successful, the API will return {}.

10. Navigate into Operations Manager UI and confirm that there are “Pending Changes” on the BOSH Director.

11. Click Apply Changes.

12. Your certificate will now be regenerated.


Additional Information

  • When running uaac target, you may need to use the --skip-ssl-validation flag.
  • When running the curl "https://opsmanagerurl/api/installation_settings" -X GET -H "Authorization: Bearer <ACCESS_TOKEN>", you may need to use the -k flag.


Powered by Wolken Software