How to Generate SSL Certificate in Aria Operations for Networks appliance once existing appliance Certificate shows expired
Article ID: 324447
Updated On:
Products
Issue/Introduction
How to Generate SSL Certificate in Aria Operations for Networks appliance once existing appliance Certificate shows expired.
- Aria Operations for Networks Appliance default certificate shows expired.
- To Validate check on appliance via below command shows expired appliance certificate.
sudo openssl x509 -noout -enddate -in /etc/nginx/ssl/vnera.com.crt - Refer to the output of above command showing expired certificate.
ubuntu@aria-networks-platform:~$ sudo openssl x509 -noout -enddate -in /etc/ngin x/ssl/vnera.com.crt notAfter=Oct 28 06:39:43 2023 GMT - Some security scans report issue with certificate such as "X.509 Certificate Subject CN Does Not Match the Entity Name"
Environment
Aria Operations for Networks 6.13.0
Aria Operations for Networks 6.14.0
Aria Operations for Networks 6.14.1
Resolution
Follow the below instructions to use the vRNI appliance(s) itself to generate a certificate and apply:
For platform Node(s):
- Take Putty/SSH on Platform appliance using user name support.
- Type command ub to switch to ubuntu user.
- Create a directory using below command:
mkdir custom_certs - Use below command to enter to the newly created directory in step 3.
cd custom_certs - Issue below 2 commands to generate SSL certs :
openssl genrsa -out vnera.com.key 2048 openssl req -new -key vnera.com.key -x509 -days 366 -sha256 -subj "/C=US/ST=CA/L=PA/O=VMware/OU=Arkin/CN=vrni-platform-release/[email protected]" -out vnera.com.crtIn above command user can modify the CN and email fields
CN can be hostname, Email can be any email user wants to use. - Take Putty/SSH on Platform appliance using user name
consoleuser
To validate and list cert files execute the below command:
custom-cert list - To apply cert files execute the below command:
custom-cert apply
See Example below as below:support@vrni-platform-release:~$ ub ubuntu@vrni-platform-release:~$ mkdir custom_certs ubuntu@platform1:~$ cd custom_certs ubuntu@platform1:~/custom_certs$ openssl genrsa -out vnera.com.key 2048 Generating RSA private key, 2048 bit long modulus ................................................................................ ..........................+++................................................................................ ................................................................................ .................+++ e is 65537 (0x10001) ubuntu@platform1:~/custom_certs$ openssl req -new -key vnera.com.key -x509 -days 366 -sha256 -subj "/C=US/ST=CA/L=PA/O=VMware/OU=Arkin/CN=vrni-platform-release/[email protected]" -out vnera.com.crt ubuntu@platform1:~/custom_certs$ ls vnera.com.crt vnera.com.key ubuntu@platform1:~/custom_certs$ (cli) custom-cert list vnera.com.crt vnera.com.key (cli) custom-cert apply Successfully applied new certificate. All active UI sessions have to be restarted. (cli)
Note: While replacing the certs, if you see getting below error"Failed to find the Key file"The above error occurred because Aria Operations for networks cannot recognize normal key file and it has to convert the normal key file to RSA pem format using Openssl
a. Run below command to fix this
b. Command as below:
sed -i 's/-----END PRIVATE KEY-----/-----BEGIN RSA PRIVATE KEY-----/g' vnera.com.key sed -i 's/-----END PRIVATE KEY-----/-----END RSA PRIVATE KEY-----/g' vnera.com.key8. Repeat above all mentioned steps for rest all the Platform node(s) if needed.
For collector Node(s)1. Take putty/ssh on collector appliance using user name support.
2. Type command ub to switch to ubuntu user.
3. Create a directory using below command:mkdir custom_certs4. Use below command to enter to the newly created directory in step 3.
cd custom_certs5. Issue below 2 commands to generate SSL certs :
openssl genrsa -out vnera.com.key 2048 openssl req -new -key vnera.com.key -x509 -days 366 -sha256 -subj "/C=US/ST=CA/L=PA/O=VMware/OU=Arkin/CN=aria-networks-collector/[email protected]" -out vnera.com.crtNote:
In above command user can modify the values for CN and emailAddress fields
CN can be hostname, Email can be any email user wants to use.
6. For Collector nodes, execute this on all collectors as a workaround before applying the SSL Certificate.ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null support@CollectorIP 'sudo sed -i "/isThisProxy/,+4d" /home/ubuntu/cli/bin/recertify_host.sh /home/ubuntu/cli/bin/scplocal.sh'Note:
After executing above command, you will be prompted to enter the password forsupportuser
7. Take Putty/SSH on collector appliance using usernameconsoleuserTo validate and list cert files execute the below command:
custom-cert list8. To apply cert files execute the below command:
custom-cert applySee Example below as below:
support@aria-networks-collector:~$ ub ubuntu@aria-networks-collector:~$ mkdir custom_certs ubuntu@aria-networks-collector:~$ cd custom_certs ubuntu@aria-networks-collector:~/custom_certs$ openssl genrsa -out vnera.com.key 2048 Generating RSA private key, 2048 bit long modulus ................................................................................ ..........................+++................................................................................ ................................................................................ .................+++ e is 65537 (0x10001) ubuntu@aria-networks-collector:~/custom_certs$ openssl req -new -key vnera.com.key -x509 -days 366 -sha256 -subj "/C=US/ST=CA/L=PA/O=VMware/OU=Arkin/CN=aria-networks-collector/[email protected]" -out vnera.com.crt ubuntu@aria-networks-collector:~/custom_certs$ ls vnera.com.crt vnera.com.key ubuntu@aria-networks-collector:~/custom_certs$ ubuntu@aria-networks-collector:~/custom_certs$ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null [email protected] 'sudo sed -i "/isThisProxy/,+4d" /home/ubuntu/cli/bin/recertify_host.sh /home/ubuntu/cli/bin/scplocal.sh' Warning: Permanently added '192.168.115.52' (ECDSA) to the list of known hosts. [email protected]'s password: (cli) custom-cert list vnera.com.crt vnera.com.key (cli) custom-cert apply Successfully applied new certificate. All active UI sessions have to be restarted. (cli)Note:
While replacing the certs, if you see getting below error:"Failed to find the Key file"The above error occurred because Aria Operations for networks cannot recognize normal key file and it has to convert the normal key file to RSA pem format using Openssl
a. Run below command to fix this
b. Commands as below:
sed -i 's/-----END PRIVATE KEY-----/-----BEGIN RSA PRIVATE KEY-----/g' vnera.com.key sed -i 's/-----END PRIVATE KEY-----/-----END RSA PRIVATE KEY-----/g' vnera.com.key9. Repeat above mentioned steps for rest all the Collector node(s) if needed.
Note:
Whichever collector has NSX-T webhook configured, user will need to toggle datasource to re-register it after certificate has been applied via above steps.Validating the Certs on Platform and Collector node(s):
1. Post applying certificate for validation to get details on the validity for the certs applied and the certificate issue run below:ub openssl s_client -connect <collector_Ip>:443 | egrep -i "before|after"2. Executing below command will give you the details for the validity of the certificate:
ub sudo openssl x509 -noout -enddate -in /etc/nginx/ssl/vnera.com.crt3. Executing below command will give you the details for the issuer of the certificate:
ub sudo openssl x509 -noout -enddate -in /etc/nginx/ssl/vnera.com.crt -noout issuer
Additional Information
Impacts/Risks: No functional impact.
Feedback
