Outlines how to install a signed valid SSL certificate issued by your Certificate Authority (CA) to your Qumulo cluster
REQUIREMENTS
- Admin privileges to your Qumulo cluster
- SSL Certificate based on your CSR file has been generated by your CA
PROCESS
Generate private key
openssl genrsa -des3 -out Cluster-Name.key 2048
Strip the key
openssl rsa -in Cluster-Name.key -out Cluster-Name.key.insecure
openssl req -new -key Cluster-Name.key -out Cluster-Name.csr
Have the CA complete the request and export the certificate bundle as DER encoded.
Tip**Don't forget to ask them to add SANs if applicable
openssl pkcs7 -in yourbundle.p7b -inform DER -print_certs -out cert.pem
Install the final SSL certificate (only needs to be run from one node)
qq ssl_modify_certificate -c cert.pem -k Cluster-Name.key.insecure
If you see the following error:
Error 400: ssl_certificate_invalid_error: Cannot find the issuer certificate of some certificate in the provided certificate chain
This usually means your certificates are out-of-order in the bundle (more common on linux CA's). You can vim the pem file and reorder the certificates.
Server Certificate
Intermediate CA
Root CA
You may also see a similar error if attempting to install a certificate that lacks the whole certificate chain.
Lastly,
On every node (after you update your SSL cert/"null" indicates success), restart the WebUI service to make it take effect: SSH to each node / login as root
sudo -s
sudo qsh -c systemctl restart qumulo-appserver
Comments
0 comments