Hi Team,
We have tried to configure the 3node HA and point out Load Balancer url in morpheus.rb. if we want to replace the SSL certificate which is generated outside and it’s pointing out the LB FQDN in certificate then what are all the steps we need to follow. Currently we are having the pfx file and perform the below commands but still getting the not secure error while access the url.
Sorry not quite sure about the meaning for “FE nodes”, but we implementing the ssl certificate at Morpheus VM nodes.
Btw, the customer providing us the .pfx file and we are following below guide to extracting private key and certificate. Should we use pub.crt or ca.crt as nginx[‘ssl_certificate’] ?
To @cbunge’s point, some users will decide to put the certificate on their load balancer only, leaving the self-signed certificate on Morpheus. This sill keeps it secure but removes some of the administrative burden. However, some organizations require the certificate to be on the appliances as well or they don’t use the certificate on their load balancer. If implementing on the appliances, here is some additional information.
nginx['ssl_certificate']
Should point to the entire chain. This file should include, the CA, Intermediates, and the public certificate. There have been times I’ve not been provided the entire chain.
Sometimes the provider of a certificate might also give you a “bundled” certificate that contains them all, to make it easier.
You can review errors in the nginx log, which will give you an indications of any issue, such as a certificate mismatch, permissions to the file, password is on it, etc.
Command to view the log in real time: morpheus-ctl tail nginx
Location of the log if you need to review it more closely: /var/log/morpheus/nginx/current
thank you for your response. we are following the same steps to apply the ssl certificate in Morpheus VM. The nginx can be started normally and we didn’t see any error in /var/log/morpheus/nginx/current.
However, when we access the Morpheus url from Chrome, it is showing not certificate is not valid as follow:
@yingshuang, I’d try restarting the morpheus-ui service, I’ve seen on occasion it being needed.
Morpheus will be unavailable while you restart the service on that node. You can roll through the environment restarting the service once the previous one has finished, if your load balancer is working, just not secure yet.
To restart the Morpheus UI service, run the following command: morpheus-ctl restart morpheus-ui
You can watch the startup of the service logs using the below command. Although, I don’t think you’ll see anything related to this in them as it starts, just more to monitor: morpheus-ui tail morpheus-ui
Yes, we restarted Morpheus-ui service and it is running properly. after restarting Morpheus-ui, we could access the Morpheus portal, but it is still showing not valid certificate as follow:
@yingshuang I’m thinking the certificate you are seeing is from your load balancer or somewhere else. The default self-signed certificate Morpheus generates looks like this:
Either the certificate is not coming from the Morpheus node or, if it is, then that might be what the certificate was configured with. If that is what the certificate is configured with, it looks to be missing the CN as a DNS name and probably also the SANs as well. The date on the certificate says it was generated 2 days ago, so the SSL cert is probably working correctly just the certificate itself has not been configured properly would be my thoughts.
If you continue to have issue, I’d recommend opening a support case. It will allow for easier troubleshooting.