Do you have a SAS Viya environment that was installed some months ago? Once it gets to its first birthday, you may find that, like a real kid, along with many joys it can also bring unexpected problems.
Important update for SAS Viya 3.5
The original version of this blog post was written for SAS Viya 3.4.
SAS Viya 3.5 creates certificates that are valid for 7 years by default, so this should not happen anymore. It can still happen if your 3.5 environment is an upgrade in place of an older one, installed with 3.4 or even 3.3. In that case, the upgrade did not change the original Apache certificate, which can still be only valid for 1 year.
In any case, both for new installations and upgrades, the SAS Viya 3.5 version of the /opt/sas/viya/home/bin/replace_httpd_default_cert.sh script referenced below uses a new syntax and is already set to create a 7-year long certificate. If you encounter this issue with SAS Viya 3.5, you can still follow the instructions in the paragraph “The way out” but only follow steps 2 to 5 – i.e., skip steps 1 and 6.
SAS Viya is a mature component of the SAS platform. Many customers have deployed in production environments solutions based on SAS Viya, and countless are the images maintained by different SAS business units for internal employees. As part of the ongoing effort to meet and exceed industry-standard requirements, starting with SAS Viya 3.3, all deployments default to encrypted communications, thanks to the use of standard TLS enabled on all service endpoints.
One of the key principles to make this possible is the deployment of a frontend Apache HTTP server, used as a proxy by SAS Viya servers and services.
During SAS Viya deployment, the installation of the sas-httpproxy package triggers a dependency on both Apache HTTP Server (httpd) and mod_ssl. Httpd and mod_ssl are automatically installed by YUM, and the installation of mod_ssl creates a private key and self-signed certificate. In other words, initially, a self-signed certificate is created by Apache itself, not by SAS. In a subsequent phase of the SAS Viya deployment, this self-signed certificate is updated by SAS Viya playbooks. This happens because the certificate contains, in the common name field (CN), the hostname of the machine at the point in time that mod_ssl is installed, but does not include any Subject Alternate Names (SAN). SAS Viya deployment modifies the original certificate to add additional entries in the SAN field, but leaves other properties, including the expiration date, to their default value. By default, Apache self-signed certificates are valid for one year since their creation.
It’s easy to understand that, with many SAS Viya deployments performed in 2018, after the release of version 3.3, some of them are now past that default expiration date.
Once a TLS certificate has expired, it is rejected by clients attempting to communicate with any server that uses it, and the connection fails. This is good, because it prevents fraudulent use of old certificates! If you have the good habit of always using https, you can notice that this is reported by the browser with a message:
Browser Warnings
Left: Microsoft Edge - Right: Google Chrome
On the contrary, if you connect to the SAS Viya environment using the “unsecure” http protocol, you may not notice any issue and successfully log in. Yet, internal connections between services, which always happen through secure channels, still fail. Eventually, you may experience failure messages, for example in the following areas:
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
An example of error messages from CAS:
2019-01-20T00:00:16,508 ERROR [00003526] cas local MAIN NoUser [sslopenssl2.c:6453] - OpenSSL error 336134278 (0x14090086) occurred in SSL_connect/accept at line 4717, the error message is "error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed".
2019-01-20T00:00:16,508 ERROR [00003526] cas local MAIN NoUser [skstssl.c:1248] - Secure communications error status 807ff008 description "192.168.1.1: The certificate sent from the remote host cannot be validated by any of the public keys in the root certificate store specified by SSLCALISTLOC or SSLCACERTDIR."
2019-01-20T00:00:16,509 ERROR [00003526] cas local MAIN NoUser [tkjwk.c:1325] - getKeySet: Could not send request to server.
2019-01-20T00:00:16,509 ERROR [00003526] cas local MAIN NoUser [tkjwk.c:1326] - Encryption run-time execution error
A possible cause of confusion is that administrators can still successfully connect to SAS Environment Manager via http and the dashboard will not report any issue. They would have to dig into logs to spot any error messages.
To confirm this is the actual cause of end-users' problems, a quick way to check the certificate expiration date is by using the command:
openssl x509 -noout -in /etc/pki/tls/certs/localhost.crt -enddate
Well, in an ideal world, all this should not happen. In fact, in the official documentation, we recommend our customers that they should not use the default self-signed certificate, but rather add their own.
For reference, the Transport Layer Security section of the SAS Viya 3.4 for Linux: Deployment Guide reads:
"If you do not add compliant certificates and instead keep the default security settings and certificates, end users will see a standard web browser warning message. SAS recommends replacing the certificates before giving end users access to the software."
Obviously, this also means that, after you install your own certificates, you ensure that they are valid and replace them before the expiration.
Since we do not live in an ideal world, somebody may either choose to not add their own certificate or simply forget about this - even worse, they may not read that section of the documentation at all! In all these cases, for the first year, connections to SAS web applications are successful - though with the noted web browser warning messages. End users could choose to import the self-signed certificate into their browser trust store, thus eliminating any warning messages even when using https. All works fine ... until the 1-year mark expires.
There is a workaround to recover from the situation where the self-signed certificate expires. The certificate can be manually reissued - either for another year, by default, or for the number of days the user desires. It can then be redistributed across the deployment, which will return to a functioning state.
There is no need to wait until the certificate expiration – this can be done as soon as the initial deployment has completed.
...
# Self-sign CSR
${SASCRYPTOHOME}/sas-crypto-management \
selfsign \
--days 2557 \
--csr ${DEFAULTCSRPATH}/localhost.csr \
--out-file ${DEFAULTCERTPATH}/localhost.crt \
--out-form pem \
--signing-key ${DEFAULTKEYPATH}/localhost.key
...
In this example, the expiration is bumped up to 7 years (to match the other long-term certificates that are created for other SAS Viya components).
sudo /opt/sas/viya/home/bin/replace_httpd_default_cert.sh --force
2019-06-18 20:21:20.049 INFO [Log.go:41] [sas-crypto-management-command] - {"0":"[]"} gencsr.go:132 succesfully created CSR!
2019-06-18 20:21:20.085 INFO [Log.go:41] [sas-crypto-management-command] - {"0":"[]"} selfsign.go:282 successfully created X.509 template for cert generation
2019-06-18 20:21:20.087 INFO [Log.go:41] [sas-crypto-management-command] - {"0":"[]"} selfsign.go:284 signing certificate...
2019-06-18 20:21:20.090 INFO [Log.go:41] [sas-crypto-management-command] - {"0":"[]"} selfsign.go:292 succesfully signed certificate!
sudo service sas-viya-httpproxy-default restart
cd /sas/install/sas_viya_playbook
ansible-playbook -i inventory.ini utility/distribute-httpd-certs.yml
sudo /etc/init.d/sas-viya-all-services stop
sudo /etc/init.d/sas-viya-all-services start
sudo vi /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem
find the old certificate and delete it. The new one should already be there.
Maybe you just installed a brand new SAS Viya environment, after removing an older one from the same hosts. Since you undeployed and re-deployed, everything should be new. You think you should not encounter this problem for at least another year... Well, unfortunately, no.
This issue is still present in different scenarios:
In all of the above cases, the Apache server keeps using the certificate created with the initial deployment, no matter of the subsequent changes. At the 1-year mark since that initial deployment, SAS Viya will start complaining.
If you install a recent release of SAS Viya ( starting with SAS Viya 3.4 Revision 19w30, released in July 2019 ) you will notice that the change to /opt/sas/viya/home/bin/replace_httpd_default_cert.sh described in step #1 above is not required anymore: it is already there. Any new deployment, with a recent SAS Viya release, on a new set of hardware, will incorporate the change you could be all set for the next 7 years.
Still, let me close with a word of caution. This fix should still not replace good security and administration habits: as it is suggested in the Configure and Update TLS and HTTPS section of the SAS Viya 3.4 Administration Guide: "SAS recommends that you enhance the security by replacing this certificate with a custom certificate that is generated according to the security standards at your enterprise."
HI, Thanks for the article on self signed certificates. It is very much detail and appreciated.
One question from my side, the browser warning when we use https, does this go away when we create a self signed certificate and apply it to the deployment? Or still is it required to be imported to end users browser trust store?
Thank you @EdoardoRiva ,
I was wandering. As I believe, the SAS Secret Manager renews automatically dozens of self-signed certificates for the different connections within SAS Viya, which is super-cool.
When SAS Viya is deployed with self-signed certificate for the apache server, would it not be interesting to include some automated functionality to let SAS Viya to update that certificate and send a notification to the administrator?
Or, at least, to let SAS Viya to check that certificate expiration date (CA of self-signed) and alert the administrators anyway - or to list this together with the expiration dates of SAS license. To have such a view probably would help a lot.
when you create self-signed certificates, the browser does not recognize them unless the root certificate used to sign them is already known to it.
In practice, this usually means that you still have to import them to the end-users browser trust store.
the SAS Secret Manager automatically renews all self-signed certificates used for internal communication, because it "owns" them, having created all these certificates at deployment time.
On the other side, for certificates securing the external communication channels like the ones discussed here, customers have the option to use their own, and there is not an easy way to be 100% confident that SAS Secret Manager would recognize ones that are put in place by the admin versus ones that are auto-generated.
On the other side, the idea about having SAS Environment Manager check and list the expiration date of the certificate is really a good one. So good, that SAS R&D was already considering this as a new feature to add!
I have read article completely and applied everything written there in my Viya 3.5 RACE image. I still can not log in to web applications, because LDAPS certificate expired.
And because LDAP server is in docker, looks like ansible does not propagate new certificates everywhere...
Hello , I'm new to SAS. I've inherited an environment that has this problem.
I have a question regarding point 6. Remove the expired certificates from all truststores.
how do you indetify the old certificates... if there are dedicated files, by date I can see that the new certificates are in new files
but are there any files that contain both old and new certificates? how can I identify in this files the old certificates?
SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.