3node HA SSL configuration

Hi Team,
We have tried to configure the 3node HA and point out Load Balancer url in morpheus.rb. if we want to replace the SSL certificate which is generated outside and it’s pointing out the LB FQDN in certificate then what are all the steps we need to follow. Currently we are having the pfx file and perform the below commands but still getting the not secure error while access the url.

openssl pkcs12 -in your_cert.pfx -clcerts -nokeys -out server.crt

openssl pkcs12 -in your_cert.pfx -nocerts -nodes -out server.key

nginx[‘ssl_certificate’] = ‘ca.crt’
nginx[‘ssl_server_key’] = ‘priv.key’

morpheus-ctl reconfigure.
morpheus-ctl restart nginx

Are you terminating SSL at the LB or at the FE nodes?

Hi @cbunge ,

Sorry not quite sure about the meaning for “FE nodes”, but we implementing the ssl certificate at Morpheus VM nodes.

Btw, the customer providing us the .pfx file and we are following below guide to extracting private key and certificate. Should we use pub.crt or ca.crt as nginx[‘ssl_certificate’] ?

Extract the private key

openssl pkcs12 -in example.pfx -nocerts -nodes -out priv.key

Extract the public key

openssl pkcs12 -in example.pfx -clcerts -nokeys -out pub.crt

Extract the CA cert chain

openssl pkcs12 -in example.pfx -cacerts -nokeys -chain -out ca.crt

Hello @yingshuang,

To @cbunge’s point, some users will decide to put the certificate on their load balancer only, leaving the self-signed certificate on Morpheus. This sill keeps it secure but removes some of the administrative burden. However, some organizations require the certificate to be on the appliances as well or they don’t use the certificate on their load balancer. If implementing on the appliances, here is some additional information.

nginx['ssl_certificate']

  • Should point to the entire chain. This file should include, the CA, Intermediates, and the public certificate. There have been times I’ve not been provided the entire chain.
  • Sometimes the provider of a certificate might also give you a “bundled” certificate that contains them all, to make it easier.
  • It is important to place them in the correct order in the file as well. Review the Creating a .pem with the Entire SSL Certificate Trust Chain example for more information:
    https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

nginx['ssl_server_key']

  • Should point to your private key only
  • The file should begin with -----BEGIN PRIVATE KEY-----

Once you have them in place and in your morpheus.rb file, do the following:

morpheus-ctl reconfigure
morpheus-ctl restart nginx

You can review errors in the nginx log, which will give you an indications of any issue, such as a certificate mismatch, permissions to the file, password is on it, etc.

Command to view the log in real time:
morpheus-ctl tail nginx

Location of the log if you need to review it more closely:
/var/log/morpheus/nginx/current

More information:
SSL Certificates Documentation
Load Balancer Configuration Documentation

Hope that helps!

Hello @kgawronski ,

thank you for your response. we are following the same steps to apply the ssl certificate in Morpheus VM. The nginx can be started normally and we didn’t see any error in /var/log/morpheus/nginx/current.

However, when we access the Morpheus url from Chrome, it is showing not certificate is not valid as follow:

image

Any idea about this?

@yingshuang, I’d try restarting the morpheus-ui service, I’ve seen on occasion it being needed.

:exclamation: Morpheus will be unavailable while you restart the service on that node. You can roll through the environment restarting the service once the previous one has finished, if your load balancer is working, just not secure yet.

To restart the Morpheus UI service, run the following command:
morpheus-ctl restart morpheus-ui

You can watch the startup of the service logs using the below command. Although, I don’t think you’ll see anything related to this in them as it starts, just more to monitor:
morpheus-ui tail morpheus-ui

Hi @kgawronski ,

Yes, we restarted Morpheus-ui service and it is running properly. after restarting Morpheus-ui, we could access the Morpheus portal, but it is still showing not valid certificate as follow:

image

Did you restart nginx per our documentation? Nginx needs to restart as well as the morpheus-ctl reconfigure

@yingshuang I’m thinking the certificate you are seeing is from your load balancer or somewhere else. The default self-signed certificate Morpheus generates looks like this:
image

Either the certificate is not coming from the Morpheus node or, if it is, then that might be what the certificate was configured with. If that is what the certificate is configured with, it looks to be missing the CN as a DNS name and probably also the SANs as well. The date on the certificate says it was generated 2 days ago, so the SSL cert is probably working correctly just the certificate itself has not been configured properly would be my thoughts.

If you continue to have issue, I’d recommend opening a support case. It will allow for easier troubleshooting.

Hi @kgawronski ,

thank you for your suggestion and as your doubt, this cert is from LB. after applying the right cert to LB, it is solved.

Thank you.