Versions Compared

Old Version 5

changes.mady.by.user Tom Sheffield (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Sean Hastert

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Purpose

This article provides the steps required to provide your own certifications to your SoftNAS instance.

Symptoms

An SSL certificate is necessary for more than just distributing the public key

...

.  If it is signed by a trusted third-party, it verifies the identity of the server so clients know they aren’t sending their information (encrypted or not) to the wrong person.

...

Info
titleWhat is a

...

Self-

...

Signed Certificate?
It is a certificate that is signed by itself rather than a trusted third party. This is not a good idea

...

for most business use cases. You will

...

almost never want to use a self-signed certificate on a public

...

Apache server that requires anonymous visitors to connect to your site because they could easily become a victim of a man-in-the-middle attack.

...


Info
titleWhen could a Self-Signed Certificate prove adequate?
  •  Apache development server - There is no need to spend extra

...

  • money buying a trusted certificate when you are just developing or testing an application.

...


  •  Intranet - When clients only have to go through a local

...

  • Intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.

...


  •  Personal sites with few visitors

...

  • - If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.


Info
titleFinal Take

In other words, when deploying your SoftNAS server into an enterprise use case, it may be required (or at least strongly recommended) that you switch the default self-signed certifications for your own enterprise

...

Purpose

...

certifications

...

.


Resolution

If you want to send or receive messages signed by root authorities and these authorities are not installed on the server, you must add a trusted root certificate manually.

Use the following steps to add or remove trusted root certificates to/from a server:

...

  •  

    Take a backup of the existing certificate and key files

...

borderColorblack
bgColor#f0f0f0
borderStylesolid

...

  • using the following commands:

    Code Block
    languagebash
    themeEclipse
    linenumberstrue
    mv /etc/pki/tls/certs/ca.crt /etc/pki/tls/certs/

...

  • cat.crt-old

...

  • 
mv /etc/pki/tls/private/ca.key /etc/pki/tls/private/ca.key-old


  •  

...

  • Upload the SSL certificate and key file using any preferred SSH client to the

...

  • SoftNAS node and copy the newly uploaded

...

  • certificate and

...

  • key files to the

...

borderColorblack
bgColor#f0f0f0
borderStylesolid

...

  • correct path using the following commands:

    Code Block
    languagebash
    themeEclipse
    linenumberstrue
    cp <new>.crt /etc/pki/tls/certs/ca.crt

...

  • 
cp

...

  •  <new>.key /etc/pki/tls/private/ca.key

...


  •  

    Ensure that the ca.

...

  • crt file has the

...

borderColorblack
bgColor#f0f0f0
borderStylesolid

...

  • correct permissions of 644 with root ownership using the following commands:

    Code Block
    languagebash
    themeEclipse
    linenumberstrue
    chown root:root /etc/pki/tls/certs/ca.crt

...

  • 
chmod 644 /etc/pki/tls/

...

  • certs/ca.

...

  • crt


  •  

    Ensure that the ca.key file has the correct permissions of 600 with root ownership using the following commands:

    Code Block
    languagebash
    themeEclipse
    linenumberstrue
    chown root:root /etc/pki/tls/

...

  • private/ca.

...

  • key
chmod 600 /etc/pki/tls/private/ca.key


  •  

    Once the new certificates and keys are in

...

  • the correct place, check the Nginx

...

  • configuration file and restart the service

...

Panel
borderColorblack
bgColor#f0f0f0
borderStylesolid

# nginx -t

# systemctl restart nginx

Notes/Additional Info:

...

  • using the following commands:

    Code Block
    languagebash
    themeEclipse
    linenumberstrue
    nginx -t
systemctl restart nginx


Note

Changing the keys will deactivate replication so it is HIGHLY recommended to add the certificates

...

BEFORE configuring replication to avoid any SnapReplicate™ interruption

...

Execute the following command on both the target and source node and erase the ssh fingerprints:

...

borderColorblack
titleBGColor#f0f0f0
borderStylesolid

...

.


Change Keys after Configuring SnapReplicate™

  •  

    Erase the SSH fingerprints by using the following command:

    Code Block
    languagebash
    themeEclipse
    sed -I '/<OTHER-NODE-IP-

...

  • ADDRESS>/d' .ssh/known_hosts

...


  •  

    Add a new set of fingerprints

...

  • by using the following command:

...

  • Code Block

...

  • language

...

  • bash

...

  • themeEclipse
    ssh-keyscan

...

  •  <OTHER-NODE-IP-

...

Filter by label (Content by label)
showLabelsfalse
max5
spacesSD
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ("nginx","ssl","cassl") and type = "page" and space = "SD"
labelsNginx SSL CASSL

...

hiddentrue

...

  • ADDRESS> >> .ssh/known_hosts


  •  Log into the SoftNAS Web UI (StorageCenter) on both instances and try to activate HA again.

...

Info

If you continue to experience issues, please contact Buurst Support for further assistance.