Purpose
This article provides the steps required in order to provide your own certifications to your SoftNAS instance.
Symptoms
An SSL certificate is necessary for more than just distributing the public key
. If it is signed by a trusted third-party, it verifies the identity of the server so clients know they aren’t sending their information (encrypted or not) to the wrong person.
Info | ||
---|---|---|
| ||
It is a certificate that is signed by itself rather than a trusted third party. This is not a good idea for most |
business use cases. You will almost never want to use a self-signed certificate on a public Apache server that requires anonymous visitors to connect to your site because they could easily become a victim of a man-in-the-middle attack. |
Info | ||
---|---|---|
| ||
|
|
|
|
|
|
Info | ||
---|---|---|
| ||
In other words, when deploying your SoftNAS server into an enterprise use case, it may be required (or at least strongly recommended) that you switch the default self-signed certifications for your own enterprise |
Purpose
This article provides the steps required in order to provide your owncertifications |
. |
Resolution
If you want to send or receive messages signed by root authorities and these authorities are not installed on the server, you must add a trusted root certificate manually.
Use the following steps to add or remove trusted root certificates to/from a server:
Append your trusted certificate, and set the desired path
borderColor | black |
---|---|
bgColor | #f0f0f0 |
borderStyle | solid |
using the following commands:
Code Block language bash theme Eclipse cp new.crt /etc/pki/tls/certs
cp new.key /etc/pki/tls/private/ca.key
cp new.csr /etc/pki/tls/private/ca.csr
Once the new certificates and keys are appended, restart the service.
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
service httpd restart |
Restart the service using the following command:
Code Block language bash theme Eclipse service httpd restart
We now need to set up the Virtual Hosts to display the new certificate.
Open
the SSL
Configuration file using the following command:
Code Block
language
bash
theme
Eclipse
vi +/
<SSL-Certificate-File> /etc/httpd/conf.d/ssl.conf
Change the paths to match where the
key file is stored.
If you
used the method above, it will be:
Code Block
language
bash
theme
Eclipse <SSL-Certificate-File> /etc/pki/tls/certs/ca
/crt
Set the correct path for the Certificate Key
file below.
If you
used the
method above, it
will be:
Code Block
language
bash
theme
Eclipse <SSL-Certificate-Key-File> /etc/pki/tls/private/ca.key
- Save and Quit
- the file
- .
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
service httpd restart |
Restart Apache using the following command:
Code Block language bash theme Eclipse service httpd restart
Additional Info
Warning |
---|
It is HIGHLY recommended to add the certificates before configuring replication to avoid any SnapReplicate™ interruption, as changing the keys will deactivate replication. |
Execute the following command on both the target and source node and erase the ssh finger prints:
borderColor | black |
---|---|
bgColor | #f0f0f0 |
borderStyle | solid |
Change Keys after Configuring SnapReplicate™
Erase the SSH fingerprints by using the following command:
Code Block language bash theme Eclipse sed -I '/<OTHER-NODE-IP-
ADDRESS>/d' .ssh/known_hosts
Add a new set of fingerprints
by using the following command:
Code Block
language
bash
theme Eclipse ssh-keyscan
<OTHER-NODE-IP-
ADDRESS> >> .ssh/known_hosts
- Log into the SoftNAS Web UI (StorageCenter) on both instances and try to activate HA again.
Info |
---|
If you continue to experience issues, please contact Buurst Support for further assistance. |