Hey!
I have a problem renew the signed-certificate:
I have tried to apply the steps :
https://communities.sas.com/t5/SAS-Communities-Library/How-to-survive-SAS-Viya-self-signed-certifica...
But it has not worked.
I have followed the steps:
https://documentation.sas.com/?docsetId=calencryptmotion&docsetTarget=n1xdqv1sezyrahn17erzcunxwix9.h...
it doesn't work
The cachelocator show:
The files / opt / sas / viya / config / etc / SASSecurityCertificateFramework / cacerts / trustedcerts.pem and trustedcerts.jks have the new certificate.
The steps followed are:
Generamos el fichero req.conf en /etc/pki/tls/certs:
$ cd /etc/pki/tls/certs
$ vi req.conf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
O = Self-Signed Certificate
CN = innova-lab-sasviya34.innova-tsn.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
basicConstraints = CA:TRUE
[alt_names]
DNS.1 = innova-lab-sasviya34.innova-tsn.com
DNS.2 = innova-lab-sasviya34
DNS.3 = innova-lab-sasviya34.innova-tsn.com
DNS.4 = innova-lab-sasviya34
DNS.5 = *.innova-lab-sasviya34.innova-tsn.com
DNS.6 = *.innova-lab-sasviya34.innova-tsn.com
DNS.7 = *.innova-lab-sasviya34
DNS.8 = *.innova-lab-sasviya34
DNS.9 = localhost
IP.1 = 127.0.0.1
IP.2 = 0:0:0:0:0:0:0:1
IP.3 = 10.10.14.28
IP.4 = fe80::cadf:de01:f399:e445
Generar el certificado y la clave:
$ openssl req -x509 -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config req.conf -extensions 'v3_req'
Movemos localhost.key a /etc/pki/tls/certs a /etc/pki/tls/private
$ mv /etc/pki/tls/certs/localhost.key /etc/pki/tls/private
Modificamos los permisos a 600 el fichero localhost.key
$ chmod 600 /etc/pki/tls/private/localhost.key
Validamos localhost.crt:
$ openssl x509 -text -noout -in /etc/pki/tls/certs/localhost.crt
Reiniciamos el servicio httpproxy
$ service sas-viya-httpproxy-default restart
El fichero vars.yml no es preciso modificarlo:
$ vi /sas/install/sas_viya_playbook/vars.yml
Lanzamos la distribución y todo sale correcto:
$ cd /sas/install/sas_viya_playbook/
$ ansible-playbook -i inventory.ini ./utility/distribute-httpd-certs.yml
Visualizamos que los ficheros se han modificado:
$ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts
El fichero ssl.conf no es necesario modificarlo
$ cd /etc/httpd/ssl.conf
$ vi ssl.conf
Dentro del fichero se encuentra el crt nuevo generado:
$ cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem > /root/salidatrustedcertspem.log
Se corresponde con el generado en /etc/pki/tls/certs/localhost.crt:
$ cat /etc/pki/tls/certs/localhost.crt
Ejecutamos la comprobación:
$ openssl x509 -in /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem -text -noout
Se ha copiado el crt y key a las siguientes rutas (Place the new CA certificates):
$ cp /etc/pki/tls/certs/localhost.crt /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/
$ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts
$ chown sas:sas /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/localhost.crt
$ cp /etc/pki/tls/certs/localhost.crt /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tls/certs/
$ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tls/certs
$ chown sas:sas /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tls/certs/localhost.crt
$ cp /etc/pki/tls/private/localhost.key /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/
$ chown sas:sas /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/localhost.key
$ chmod 600 /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/localhost.key
$ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private
Respecto a /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.jks, visualizamos que es correcto:
$ keytool -v -list -keystore /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.jks -storepass changeit -keypass password > /root/salidatrustedcertsjks.log
Reconstruimos los certificados:
$ cd /sas/install/sas_viya_playbook/
$ sudo ansible-playbook -i inventory.ini ./utility/rebuild-trust-stores.yml
Reiniciamos los servicios:
$ service sas-viya-all-services stop
$ service sas-viya-all-services start
$ service sas-viya-all-services status
Why are the services not reading the new certificate?
Thank you very much