Replacing server SSL certificate

Antworten
Taomyn
Beiträge: 3
Registriert: 31 Mai 2022, 14:34

Replacing server SSL certificate

Beitrag von Taomyn »

Have installed Opsi for the first time and things are going fine so far, but I am having problems replacing the server SSL certificates with one from my local CA. I've uploaded the new cert and the key, then added the following lines to the opsiconfd.conf file but all it ever does is replace the same files with new ones generated by the Opsi CA.

Code: Alles auswählen

ssl-server-cert = /etc/opsi/ssl/kang_mydomain_com.crt
ssl-server-key = /etc/opsi/ssl/kang_mydomain_com.key
I also tried adding the following and still the same:

Code: Alles auswählen

ssl-ca-cert = /etc/opsi/ssl/CACert.crt
ssl-trusted-certs = /etc/opsi/ssl/CACert.crt
Lastly, I tried the

Code: Alles auswählen

skip-setup = ssl
but then the service failed to load.

What's the correct procedure because this doesn't appear to be fully documented in the English documentation on-line?
Benutzeravatar
j.schneider
uib-Team
Beiträge: 1789
Registriert: 29 Mai 2008, 15:14

Re: Replacing server SSL certificate

Beitrag von j.schneider »

Hello,

first of all you should think twice before replacing these certificates.
The opsi ca is used to automatically create and renew certificates for opsi-servers and clients.

If you really want to manage all the certificates manually, you should set

Code: Alles auswählen

skip-setup = ssl
And place the server certficate into /etc/opsi/ssl/opsiconfd-cert.pem and the private key into /etc/opsi/ssl/opsiconfd-key.pem.

Regards,
Jan Schneider
Taomyn
Beiträge: 3
Registriert: 31 Mai 2022, 14:34

Re: Replacing server SSL certificate

Beitrag von Taomyn »

Hi Jan,

Thanks for the prompt advice - I totally get why you would urge caution but the issue I have is that my domain is protected by HSTS which means any certificate has to be trusted by the browser or it will not load unless I use the IP address. Now I know I could just add the Opsi CA certificate to the local machine's trusted store but when I already have a CA infrastructure set up it seems that would be the better way to go. The server certificate I can replace annually myself just as I do for all my other services and the Windows clients all have their own certificate that is automatically updated by Active Directory.

Anyway, as I am still just evaluating Opsi and learning how it works I'll just add the Opsi CA certificate to my workstation and continue that way. I can revisit this again later hopefully.

BTW, is there any way to change the login prompt of the opsiconfd admin website to use a standard form for the credentials? I cannot use my browser's Bitwarden password manager extension to enter the complex credentials with the pop-up - it still surprises me that this feature has still not been deprecated in all browsers or made available to extensions to auto-fill.

Cheers,
Taomyn
Benutzeravatar
j.schneider
uib-Team
Beiträge: 1789
Registriert: 29 Mai 2008, 15:14

Re: Replacing server SSL certificate

Beitrag von j.schneider »

Hi Taomyn,

please note that our opsi-client-agent can be configured to automatically import the opsi ca into the operating system certificate store.

See opsiclientd.global.install_opsi_ca_into_os_store in the documentation:

https://docs.opsi.org/opsi-docs-en/4.2/ ... ver2client

Unfortunately there is currently no other way to login into opsiconfd, but I will take that on our list.

Regards,
Jan
Benutzeravatar
SisterOfMercy
Beiträge: 1522
Registriert: 22 Jun 2012, 19:18

Re: Replacing server SSL certificate

Beitrag von SisterOfMercy »

Taomyn hat geschrieben: 01 Jun 2022, 09:38 Anyway, as I am still just evaluating Opsi and learning how it works I'll just add the Opsi CA certificate to my workstation and continue that way. I can revisit this again later hopefully.
I'm not sure if the way opsi uses the certificates is public. I know the default way has a failsafe. You don't want to manually update the certificate on every client.
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
Antworten