Simulator Discussions

changing the SSL certificate in simulator

frigo
846 Views

Hi! I am ramping up on Ontap automation tooling and am checking how to automate the installation of certificates, starting with a simulator.

I have been able to successfully install a certificate for an object store, leveraging the ansible module that works great.

 

However there is no way to change the certificate for the web UI (even by hand), the original certificate keeps getting used.

$ openssl s_client -connect 10.224.123.6:443 | openssl x509 -serial -noout
Can't use SSL_get_servername
depth=0 CN = DataONTAP.default.4082368-50-7, C = US
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = DataONTAP.default.4082368-50-7, C = US
verify return:1
serial=17551D832D6A0631
^C

now installing the certificate:

 

 


test1::*> security certificate show -serial 17551D832D6A0631
There are no entries matching your query.

test1::*> security ssl modify -vserver test1 -server-enabled false

test1::*> security ssl modify -vserver test1 -ca testca -serial 498E6EE12BF76EC3BF9E9F3899395552C6C91F3B

test1::*> security ssl modify -vserver test1 -server-enabled true

 

still that old one (referenced nowhere) keeps getting used:

$ openssl s_client -connect 10.224.123.6:443 | openssl x509 -serial -noout
Can't use SSL_get_servername
depth=0 CN = DataONTAP.default.4082368-50-7, C = US
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = DataONTAP.default.4082368-50-7, C = US
verify return:1
serial=17551D832D6A0631

 

now hacking a bit we can make it work (for science):

test1::*> systemshell 
(system node systemshell)
diag@127.0.0.1's password:

Warning: The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly. Use this environment
only when directed to do so by support personnel.

test1-01% grep VserverSSLConfig /mroot/etc/www/wsdb/httpd-vserver.conf
VserverSSLConfig 0 /mroot/etc/vserver_4294967295/certificates/ssl/server/00000000-0000-0000-0000-000000000000/server.crt /mroot/etc/vserver_4294967295/certificates/ssl/server/00000000-0000-0000-0000-000000000000/server.key
VserverSSLConfig 2 /mroot/etc/cluster_config/vserver/.vserver_2/config/etc/certificates/ssl/server/af73667d-d8ff-11ed-9a3e-25390a7bf864/server.crt /mroot/etc/cluster_config/vserver/.vserver_2/config/etc/certificates/ssl/server/af73667d-d8ff-11ed-9a3e-25390a7bf864/server.key
VserverSSLConfig 4294967295 /mroot/etc/vserver_4294967295/certificates/ssl/server/9eadc669-d8ff-11ed-9a3e-25390a7bf864/server.crt /mroot/etc/vserver_4294967295/certificates/ssl/server/9eadc669-d8ff-11ed-9a3e-25390a7bf864/server.key

test1-01% sudo sed -i -e '/^VserverSSLConfig 0/d' /mroot/etc/www/wsdb/httpd-vserver.conf


# now working
$ openssl s_client -CAfile ./ca_cert.pem -connect test1.example.test:443 | openssl x509 -serial -noout
depth=1 CN = testca
verify return:1
depth=0 CN = test1
verify return:1
serial=498E6EE12BF76EC3BF9E9F3899395552C6C91F3B
^C

 

is there a way to change the SSL certificate properly in the simulator? Thanks!

1 REPLY 1

frigo
804 Views

some more details: this is Ontap 9.12.1, playbooks

Public