Posted on July 11, 2018 4:19 pm
 |  Asked by Nicola von Thadden
 |  213 views
Tags:
0
0
Print Friendly, PDF & Email

Hi,

since CVP 2018.1 introduced the SSL/TLS certificate management to the web ui I wondered if there is also a supported way to change it via the cli on the system itself?
I would like to automatically deploy and update the certificates with letsencrypt. Since the renewal happens every few weeks that would be better done via a cron job than by hand in the gui.
I guess replacing the file on disk and then restarting nginx is not the best or supported way for our multinode cluster ;)
What would you recommend to to besides buying a certificate with a longer lifetime or sticking to selfsigned certs?

Thanks
Nico

0
Posted by Tyler Conrad
Answered on July 11, 2018 4:36 pm

What you’ve suggested is one option, adding the certs as /etc/nginx/cvp.crt and /etc/nginx/cvp.key, and restarting the nginx service. Another option is to use CVP’s API to upload the certificate/key.

Within CVP, at the top right click on the question-mark and there’s an option called ‘Supported APIs’. This has information about the APIs that we expose to CVP users. Under ssl > ssl/importCertAndPrivateKey.do, you have an option to upload your certificate. The API expects your cert in PEM format with separate key and certificate.

Json data expected:
{
"publicCert": "string",
"privateKey": "string",
"certType": "string",
"passPhrase": "string"
}

publicCert – string value of the base64 certificate data.
privateKey – string value of the base64 private key.
certType – options are cvpCert, dcaCert – if you’re trying to update the webui certificate, use cvpCert.
passPhrase – if you have a passphrase configured on your private key, enter this here, otherwise send null (“”).

For some useful examples of how to interact with the CVP api, check out the CVPRAC project on github: https://github.com/aristanetworks/cvprac/. It doesn’t currently have a module to import certificates itself, but I wouldn’t be surprised if it gets added soon.

Just ran this through my lab to validate, and it works well with a couple other points:
The Base64 cert and key needs to have the —–BEGIN/END sections removed in order to import.
Once the import is successful (you should get a response with the certificate data), you’ll also need to run /ssl/installCertificate.do to complete the import.

(Tyler Conrad at July 11, 2018 6:24 pm)
Hello Tyler, can you please share the code ? EDIT: Thanks for the hint I was able to implement this, https://blog.rabin.io/sysadmin/automated-ssl-tls-cert-in-cvp
(Rabin Yasharzadehe at October 9, 2018 9:39 am)

Post your Answer

You must be logged in to post an answer.