Generating alternative certificates for OpenOndemand, OOD
During the installation, TrinityX expects correct trix_external_fqdn settings. A single certificate is typically generated for all certificate depended components.
when the external FQDN changes, or when this information was not available during install time, the below procedure allows for an additional/separate alternative certificate to be generated for OOD.
Steps:
-
log in as root on the controller
-
create a directory ‘certs’ in ~/
-
chdir into ~/certs
-
generate the gen_cert.sh script with below info:
#!/bin/bash
# below should be changed if IP/endpoint used to reach the portal is not equal to the server's FQDN
MYHOSTNAME=$(hostname --long)
rm -f ood-${MYHOSTNAME}.*
serial=$(date +%s)
openssl req -new -nodes -sha512 \
-subj '/C=NL/ST=Noord Holland/L=Amsterdam/O=ClusterVision Solutions B.V./CN='${MYHOSTNAME} \
-out 'ood-'${MYHOSTNAME}'.csr' \
-keyout 'ood-'${MYHOSTNAME}'.key' \
-config 'san.conf'
openssl x509 -req \
-days 3650 \
-in 'ood-'${MYHOSTNAME}'.csr' \
-CA '/trinity/local/etc/ssl/cluster-ca.crt' \
-CAkey '/trinity/local/etc/ssl/cluster-ca.key' \
-out 'ood-'${MYHOSTNAME}'.crt' \
-extensions req_ext \
-extfile 'san.conf' \
-set_serial $serial \
openssl x509 -subject -ext subjectAltName -noout -in ood-${MYHOSTNAME}.crt
-
copy the san.conf from /trinity/local/etc/ssl/san.conf to ~/certs
-
alter the san.conf file to match the requirements
-
run the gen_cert.sh script
-
chmod og-rx *.key
-
move the newly generated crt+key file to /trinity/local/etc/ssl directory
-
alter the ood config file /etc/ood/config/ood_portal.yml to reflect the new fqdn and/or certificates (this breaks the upgrade path. after upgrade this and further steps need to be repeated):
ssl: must match the newly generated certificate file location
servername: must contain config that matches the san.conf info
-
regenerate ood config: /opt/ood/ood-portal-generator/sbin/update_ood_portal
-
restart the involved services:
systemctl restart ondemand-dex.service httpd htcacheclean.service