About | FAQ | Help
Ask Your Question
0

PE external SSL cert for console 2018.1

asked 2018-06-01 17:50:37 -0500

woter324 gravatar image

updated 2018-06-01 21:11:06 -0500

I've done a new install of PE 2018.01 on CentOS 7. I've used an AD certificate authority to generate a certificate for the console. As far as I can tell, the certificate is valid.

I followed the guide here to replace the PE CA signed cert for the console.

I have two issues:

  1. The certificate has not changed. The browser still picks up the PE CA cert.
  2. The console port has changed from 443 to 4431.

I've found this post and this post, where users have similar issues, but both posts have no resolution. I've rebooted my PE server and waited +5 hours.

In addition to the instructions, I have also changed the owner, group and permissions to match the supplied cert:

/opt/puppetlabs/server/data/console-services/certs
[root@pup01 certs]# ls -lat
total 24
drwx------. 2 pe-console-services pe-console-services  231 Jun  1 16:38 .
-r--------  1 pe-console-services pe-console-services 2693 Jun  1 16:38 puplic-console.cert.pem
-r--------  1 pe-console-services pe-console-services 2010 Jun  1 16:38 puplic-console.private_key.pem
drwxr-xr-x. 3 pe-console-services pe-console-services   41 May 30 01:05 ..
-r--------. 1 pe-console-services pe-console-services 2375 May 30 01:05 pup01.mydomain.com.private_key.pk8
-r--------. 1 pe-console-services pe-console-services  800 May 30 01:03 pup01.mydomain.com.public_key.pem
-r--------. 1 pe-console-services pe-console-services 3243 May 30 01:03 pup01.mydomain.com.private_key.pem
-r--------. 1 pe-console-services pe-console-services 2098 May 30 01:03 pup01.mydomain.cert.pem

To confirm the port change:

[root@pup01 certs]# netstat -ant | grep 443
tcp6       0      0 127.0.0.1:4430          :::*                    LISTEN
tcp6       0      0 :::4431                 :::*                    LISTEN
tcp6       0      0 127.0.0.1:4432          :::*                    LISTEN
tcp6       0      0 :::4433                 :::*                    LISTEN

Nothing listening on port 443, and:

[root@pup01 certs]# telnet localhost 443
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

Any ideas?

Thanks W.


I did post the following as an answer because it worked for 10 minutes, but I'm now back where I started with the same error, however, at least I know what the problem is now. I've moved it to the question as it may help with troubleshooting:

~~So I've got it.~~

I found nginx wasn't running due to a problem with the certificate, well actually a problem with the path. I guess when nginx isn't running, there is a backup port of 4431, or maybe as I understand niginx is to do with load balancing, maybe one runs on 4431 and the other on 4430 and the "virtual" service runs on 443. Please excuse my noob theory.

The problem is something to do with copying in the path of the certificate into Class: puppet_enterprise::profile::console browser_ssl_cert via Chrome on Windows 7 & 10.

If I cat the log /var/log/puppetlabs/nginx/error.log, I got the error:

2018/06/02 02:02:48 [emerg] 3306#0: BIO_new_file("/opt/puppetlabs/server/data/console-services/certs/public-console.cert.pem") failed ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2018-06-02 11:33:24 -0500

woter324 gravatar image

Very embarrassed, I'll blame getting old and failing eyesight on high resolution, small screens.

The cert files should be labelled public-console.* and not pu p lic-console.* !

Oh dear, time for me to find a new career!

edit flag offensive delete link more

Comments

It happens to the best of us... glad you found a solution!

DarylW gravatar imageDarylW ( 2018-06-04 07:00:45 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-06-01 17:50:37 -0500

Seen: 72 times

Last updated: Jun 02