Steps to Generate a New Certificate Chain for Default Secure Channel Certificate
search cancel

Steps to Generate a New Certificate Chain for Default Secure Channel Certificate

book

Article ID: 389278

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

This article provides step-by-step instructions on generating a new certificate chain, including the Root CA and Leaf Certificate, using the scripts provided. If you do not have a custom certificate chain and wish to renew the default secure channel certificate, follow the instructions below to use the provided scripts for renewal.

Note: Scripts are provided in the attachments.

Resolution

Step1. You need to go to /etc/ssh/caconfig.cnf to add this part below [ CA_tmp_default ] module, (After the Certificate generation process is done, please remove this module)

 

[ CA_new_default ]
dir = /tmp/scc-generate/ca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/certs/cacert.pem
serial = $dir/serial
#crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
#RANDFILE = $dir/private/.rand
x509_extensions = v3_ca
#crl_extensions = crl_ext
default_days = 36500
default_startdate = 091209101000Z
#default_enddate = YYMMDDHHMMSSZ
#default_crl_days= 30
#default_crl_hours = 24
default_md = sha256
preserve = no
policy = policy_match

 

Download the script (generate_cert_chain_script.py) and upload it to this directory on the Avi controller  /opt/avi/scripts/

cd /opt/avi/scripts/

python3 generate_cert_chain_script.py

After running, check /tmp/scc-generate folder whether it has ca folder, with certs in certs folder.

 

Step2:  Download the script (upload_cert_chain_script.py) and upload it to this directory on the Avi controller  /opt/avi/scripts/

Run the script (Note: Please update the admin password in this script so that it can connect to Avi controller) to upload the certificate chain. (Ignore those warnings)

python3 upload_cert_chain_script.py

Later check the WebUI:

In Tab Templates => Security => SSL/TLS Certificates.See whether the chain certificates exist here:

Root certificate should be under “Root/Intermediate CA”, with the name “New-Root-CA”.

Leaf certificate should be under “SSL/TLS Certificates“, with the name “New-Leaf-CA“.

 

Step3: Run the script for attaching the new Leaf CA cert to System Settings :

python3 /opt/avi/scripts/update_secure_channel_cert.py

The it will ask you to pick up the leaf certificate that you want to change. You just select the right one, and it then will say that it has been successfully setup.

You can double check this on the UI: Administration => Settings => Access Settings => System Access Settings => click the pencil icon => Secure Channel SSL/TLS Certificate, New-Leaf-CA has been updated there instead of system default secure channel cert.

 

Step4: Run this script to individually force SEs to sync secure channel cert with controller. And we need to make sure the all the SEs will connect back to controller.

The command is:

python3 /opt/avi/scripts/sync_secure_channel_cert_se.py --se <se_ip>

Note: Technically this way of sync can only be used to take care of the VMs with mgmt IP address. (May not work for ipv6 or with second interface)

This step can make sure that the root certificate has been updated to the existing SEs, and make sure those existing SEs can connect back even after restart.

 

Step 5: Replace the SE package with the newly signed one on all controller nodes, which will be used for generating new SE images.

On leader node:  Copy the se.pkg from bootstrap folder to /host/pkgs folder:
<pkg_name> is the currently using package, such as 30.2.2-9108-20240904.202619 in my setup. You can check it out in the folder /host/pkgs.

cd /bootstrap
cp se.pkg /host/pkgs/30.2.2-9108-20240904.202619

 

On follower node, copy the se.pkg from leader node under the path /bootstrap to the path /host/pkgs/<pkg_name>/  on follower node.

cd /host/pkgs/<pkg_name>
scp admin@<leader_node_ip>:/bootstrap/se.pkg

 

Step6. Execute the old se.ova clean on both leader node and follower node:

python3 /opt/avi/scripts/generate_se_image.py --imagepath /host/pkgs/30.2.2-9108-20240904.202619 --cleanup

And if you see “Deleted successfully”, it means ok for this step.
If it says “No such file or directory: '/host/pkgs/<pkg_name>/staging”, it means this node does not ever had any ova setup perviously, so ignore it.

 

Step7.  Execute the generating se ova on the node: (Only on leader node).

python3 /opt/avi/scripts/generate_se_image.py --imagepath /host/pkgs/30.2.2-9108-20240904.202619/se.pkg --imagetype ova

(This script produces no output in the cli, but you should see new se.ova file being generated in /host/pkgs/30.2.2-9108-20240904.202619/)


Step7. After the se.ova is finished generating and if you are using Content library in the Cloud then se.ova image needs to be deleted from vCenter. It will look something like this on vCenter under Content Library>OVF&OVA Templates:

c399689a4484 is a part of cluster-uuid which you can fetch from this API (https://<Avi Controller IP>/api/cluster)

Step8: Restart the cloud connector service: (Only on leader node)

systemctl restart cloudconnectorgo.service

 

 

Attachments

upload_cert_chain_script.py get_app
generate_cert_chain_script.py get_app
Powered by Wolken Software