Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Purpose

This article provides the steps required in order to provide your own certifications to your SoftNAS instance.

Symptoms

An SSL certificate is necessary for more than just distributing the public key

: if

.  If it is signed by a trusted third-party, it verifies the identity of the server so clients know they aren’t sending their information (encrypted or not) to the wrong person.

So what is a self-signed certificate?

Info
titleWhat is a Self-Signed Certificate?
It is a certificate that is signed by itself rather than a trusted third party. This is not a good idea for most
 business use
business use cases. You will almost never want to use a self-signed certificate on a public Apache server that requires anonymous visitors to connect to your site because they could easily become a victim of a man-in-the-middle attack.
There are a limited number of situations in which a self-signed certificate may prove adequate:Self-signed certificates can be used on an Apache development server. There


Info
titleWhen could a Self-Signed Certificate prove adequate?
  •  Apache development server - There is no need to spend extra
cash
  • money buying a trusted certificate when you are just developing or testing an application.
Self-signed certificates can be used on an intranet. When

  •  Intranet - When clients only have to go through a local
intranet
  • Intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.
Self-signed certificates can be used on personal

  •  Personal sites with few visitors
. If
  • - If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.


Info
titleFinal Take

In other words, when deploying your SoftNAS server into an enterprise use case, it may be required (or at least strongly recommended) that you switch the default self-signed certifications for your own enterprise

certifications.

Purpose

This article provides the steps required in order to provide your own

certifications

to your SoftNAS instance

.


First, append

Resolution

If you want to send or receive messages signed by root authorities and these authorities are not installed on the server, you must add a trusted root certificate manually.

Use the following steps to add or remove trusted root certificates to/from a server:

  •  

    Append your trusted certificate, and set the desired path

.
Panel
borderColorblack
bgColor#f0f0f0
borderStylesolid
cp
  • using the following commands:

    Code Block
    languagebash
    themeEclipse
    cp new.crt /etc/pki/tls/certs

  • 
    cp new.key /etc/pki/tls/private/ca.key

  • 
    cp new.csr /etc/pki/tls/private/ca.csr


  •  

Once the new certificates and keys are appended, restart the service. 

Panel
borderColorblack
bgColor#f0f0f0
borderStylesolid
service httpd restart
The next thing to do is to set up the virtual hosts
  • Restart the service using the following command:

    Code Block
    languagebash
    themeEclipse
    service httpd restart


We now need to set up the Virtual Hosts to display the new certificate.

  •  

    Open

up
  • the SSL

config
  • Configuration file using the following command:

panel
  • Code Block
borderColor
  • language
black
  • bash
bgColor
  • theme
#f0f0f0borderStyle
  • Eclipse
solid
  • vi +/
SSLCertificateFile
  • <SSL-Certificate-File> /etc/httpd/conf.d/ssl.conf


  •  

    Change the paths to match where the

Key
  • key file is stored.

If
  •  If you

've
  • used the method above, it will be:

panel
  • Code Block
borderColor
  • language
black
  • bash
bgColor
  • theme
#f0f0f0borderStylesolidSSLCertificateFile
  • Eclipse
    <SSL-Certificate-File> /etc/pki/tls/certs/ca
.
  • /crt


  •  

Then set
  • Set the correct path for the Certificate Key

File a few lines
  • file below.

If
  •  If you

've followed
  • used the

instructions
  • method above, it

is
  • will be:

panel
  • Code Block
borderColor
  • language
black
  • bash
bgColor
  • theme
#f0f0f0borderStylesolidSSLCertificateKeyFile
  • Eclipse
    <SSL-Certificate-Key-File> /etc/pki/tls/private/ca.key


  •  Save and Quit
and save
  • the file
and then restart ApacheNotes/Additional Info:
  • .
Panel
borderColorblack
bgColor#f0f0f0
borderStylesolid
service httpd restart

  •  

    Restart Apache using the following command:

    Code Block
    languagebash
    themeEclipse
    service httpd restart


Additional Info

Warning
It is HIGHLY recommended to add the certificates before configuring replication to avoid any SnapReplicate™ interruption, as changing the keys will deactivate replication.
  • In case there is a need to change the keys after configuring SnapReplicate™:

  • Execute the following command on both the target and source node and erase the ssh finger prints:

    Panel
    borderColorblack
    bgColor#f0f0f0
    borderStylesolid
    sed -i '/OTHER

    Change Keys after Configuring SnapReplicate™

    •  

      Erase the SSH fingerprints by using the following command:

      Code Block
      languagebash
      themeEclipse
      sed -I '/<OTHER-NODE-IP-
    ADDRESS
    • ADDRESS>/d' .ssh/known_hosts
    Next, to add

    •  

      Add a new set of fingerprints

    , type
    • by using the following command:

    panel
    • Code Block
    borderColor
    • language
    black
    • bash
    bgColor#f0f0f0borderStylesolid
    • themeEclipse
      ssh-keyscan
      OTHER
    •  <OTHER-NODE-IP-
    ADDRESS   >>
    • ADDRESS> >> .ssh/known_hosts


    •  Log into the SoftNAS Web UI (StorageCenter) on both instances and try to activate HA again.
     The problem should be resolved. Contact support if you have further issues.
    Info

    If you continue to experience issues, please contact Buurst Support for further assistance.