Hey! 

I have a problem renew the signed-certificate:

I have tried to apply the steps :

https://communities.sas.com/t5/SAS-Communities-Library/How-to-survive-SAS-Viya-self-signed-certifica...

But it has not worked.

I have followed the steps:

https://documentation.sas.com/?docsetId=calencryptmotion&docsetTarget=n1xdqv1sezyrahn17erzcunxwix9.h...

it doesn't work

The cachelocator show:

The files / opt / sas / viya / config / etc / SASSecurityCertificateFramework / cacerts / trustedcerts.pem and trustedcerts.jks have the new certificate.

The steps followed are:

Generamos el fichero req.conf en /etc/pki/tls/certs:

                $ cd /etc/pki/tls/certs

                $ vi req.conf

                [req]

                distinguished_name = req_distinguished_name

                x509_extensions = v3_req

                prompt = no

                [req_distinguished_name]

                C = US

                O = Self-Signed Certificate

                CN = innova-lab-sasviya34.innova-tsn.com

                [v3_req]

                keyUsage = keyEncipherment, dataEncipherment

                extendedKeyUsage = serverAuth, clientAuth

                subjectAltName = @alt_names

                basicConstraints = CA:TRUE

                [alt_names]

                DNS.1 = innova-lab-sasviya34.innova-tsn.com

                DNS.2 = innova-lab-sasviya34

                DNS.3 = innova-lab-sasviya34.innova-tsn.com

                DNS.4 = innova-lab-sasviya34

                DNS.5 = *.innova-lab-sasviya34.innova-tsn.com

                DNS.6 = *.innova-lab-sasviya34.innova-tsn.com

                DNS.7 = *.innova-lab-sasviya34

                DNS.8 = *.innova-lab-sasviya34

                DNS.9 = localhost

                IP.1 = 127.0.0.1

                IP.2 = 0:0:0:0:0:0:0:1

                IP.3 = 10.10.14.28

                IP.4 = fe80::cadf:de01:f399:e445

Generar el certificado y la clave:

                $ openssl req -x509 -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config req.conf -extensions 'v3_req'

Movemos localhost.key a /etc/pki/tls/certs a /etc/pki/tls/private

                $ mv /etc/pki/tls/certs/localhost.key /etc/pki/tls/private

Modificamos los permisos a 600 el fichero localhost.key

                $ chmod 600 /etc/pki/tls/private/localhost.key

Validamos localhost.crt:

                $ openssl x509 -text -noout -in /etc/pki/tls/certs/localhost.crt

Reiniciamos el servicio httpproxy

                $ service sas-viya-httpproxy-default restart

El fichero vars.yml no es preciso modificarlo:

                $ vi /sas/install/sas_viya_playbook/vars.yml

Lanzamos la distribución y todo sale correcto:

                $ cd /sas/install/sas_viya_playbook/

                $ ansible-playbook -i inventory.ini ./utility/distribute-httpd-certs.yml

Visualizamos que los ficheros se han modificado:

                $ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts

El fichero ssl.conf no es necesario modificarlo

                $ cd /etc/httpd/ssl.conf

                $ vi ssl.conf

Dentro del fichero se encuentra el crt nuevo generado:

                $ cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem > /root/salidatrustedcertspem.log

Se corresponde con el generado en /etc/pki/tls/certs/localhost.crt:

                $ cat /etc/pki/tls/certs/localhost.crt

Ejecutamos la comprobación:

                $ openssl x509 -in /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem -text -noout

Se ha copiado el crt y key a las siguientes rutas (Place the new CA certificates):

                $ cp /etc/pki/tls/certs/localhost.crt /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/

                $ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts

                $ chown sas:sas /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/localhost.crt

                $ cp /etc/pki/tls/certs/localhost.crt /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tls/certs/

                $ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tls/certs

                $ chown sas:sas /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tls/certs/localhost.crt

                $ cp /etc/pki/tls/private/localhost.key /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/

                $ chown sas:sas /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/localhost.key

                $ chmod 600 /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/localhost.key

                $ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private

Respecto a /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.jks, visualizamos que es correcto:

                $ keytool -v -list -keystore /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.jks -storepass changeit -keypass password > /root/salidatrustedcertsjks.log

Reconstruimos los certificados:

                $ cd /sas/install/sas_viya_playbook/

                $ sudo ansible-playbook -i inventory.ini ./utility/rebuild-trust-stores.yml

Reiniciamos los servicios:

                $ service sas-viya-all-services stop

                $ service sas-viya-all-services start

                $ service sas-viya-all-services status

Why are the services not reading the new certificate?

Thank you very much