Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Perfsonar 5.1.0 - instructions on updating a self signed Certificate to an external certificate #1449

Open
smallboy69 opened this issue Jun 24, 2024 · 2 comments
Open

Perfsonar 5.1.0 - instructions on updating a self signed Certificate to an external certificate #1449

smallboy69 opened this issue Jun 24, 2024 · 2 comments

Comments

@smallboy69
Copy link

hi Perfsonar Team

hope this email finds you well

appreciated if anyone has updated the certificate for perfsonar 5.1.0 if there is any documentation that has been validated to work...

as i need to update the certificate for my reloaded perfsonar 5.1
@ichantio
Copy link

Hi @smallboy69,

I'm not part of the perfsonar team but I can provide some info here.
If you have a cert provider, just simply generate a CSR. I use the config file method.

Generate the CSR and Key

Create a perfsonar.cnf file with the following content:

NOTE: Replace the info below to match what you have

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = COUNTRY CODE (US, UK, etc)
ST = STATE
L = LOCAL (CITY)
O = COMPANYNAME
OU = ORGUNITNAME
CN = servername

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = servername.yourdomainhere.com
DNS.2 = serveraltname1.yourdomainhere.com
DNS.3 = serveraltname2.yourdomainhere.com
  • Once you have the config file, run the command below (again change the name out):
    openssl req -new -newkey rsa:4096 -nodes -out "perfsonar.csr" -keyout "perfsonar.key" -config "perfsonar.cnf"

You then will have the following file in your folder:

  • perfsonar.csr - copy the content of this and paste into your cert provider, they will provide you a cert to download. Download the one for apache if you have that option or pem format.
    Ubuntu: Copy this to folder /etc/ssl/certs/ permission 644 and own by root:root
    Rocky: Copy this to folder /etc/pki/tls/certs permission 644 and own by root:root
  • perfsonar.key - will need this for perfsonar.
    Ubuntu: Copy this to folder /etc/ssl/private, the permission for the key should be 640 and own by root:ssl-cert
    Rocky: Copy this to folder /etc/pki/tls/private/, the permission for the key should be 600 and own by root:root

Setup apache

  • In Ubuntu edit /etc/apache2/sites-enabled/default-ssl.conf
    Comment out the following and add your own
#SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
  • In Rocky edit /etc/httpd/conf.d/ssl.conf
    Comment out the following and add your own
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Restart Apache and check

Ubuntu: systemctl restart apache2
Rocky: systemctl restart httpd
Open your perfsonar installation and check.

Other distro would be either similar to Ubuntu (Debian) or Rocky (Alma / RHEL)

Hope this helps!

@smallboy69
Copy link
Author

Thanks for your assistance @ichantio

appreciate your advise and insight

Regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
perfSONAR
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ichantio @smallboy69