Hey! I have a problem renew the signed-certificate: I have tried to apply the steps : https://communities.sas.com/t5/SAS-Communities-Library/How-to-survive-SAS-Viya-self-signed-certificates-expiration/ta-p/583958 But it has not worked. I have followed the steps: https://documentation.sas.com/?docsetId=calencryptmotion&docsetTarget=n1xdqv1sezyrahn17erzcunxwix9.htm&docsetVersion=3.4&locale=en#n0u2e2p7l6w275n0zvkyeoiz6dv6 it doesn't work The cachelocator show: The files / opt / sas / viya / config / etc / SASSecurityCertificateFramework / cacerts / trustedcerts.pem and trustedcerts.jks have the new certificate. The steps followed are: Generamos el fichero req.conf en /etc/pki/tls/certs: $ cd /etc/pki/tls/certs $ vi req.conf [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US O = Self-Signed Certificate CN = innova-lab-sasviya34.innova-tsn.com [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names basicConstraints = CA:TRUE [alt_names] DNS.1 = innova-lab-sasviya34.innova-tsn.com DNS.2 = innova-lab-sasviya34 DNS.3 = innova-lab-sasviya34.innova-tsn.com DNS.4 = innova-lab-sasviya34 DNS.5 = *.innova-lab-sasviya34.innova-tsn.com DNS.6 = *.innova-lab-sasviya34.innova-tsn.com DNS.7 = *.innova-lab-sasviya34 DNS.8 = *.innova-lab-sasviya34 DNS.9 = localhost IP.1 = 127.0.0.1 IP.2 = 0:0:0:0:0:0:0:1 IP.3 = 10.10.14.28 IP.4 = fe80::cadf:de01:f399:e445 Generar el certificado y la clave: $ openssl req -x509 -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config req.conf -extensions 'v3_req' Movemos localhost.key a /etc/pki/tls/certs a /etc/pki/tls/private $ mv /etc/pki/tls/certs/localhost.key /etc/pki/tls/private Modificamos los permisos a 600 el fichero localhost.key $ chmod 600 /etc/pki/tls/private/localhost.key Validamos localhost.crt: $ openssl x509 -text -noout -in /etc/pki/tls/certs/localhost.crt Reiniciamos el servicio httpproxy $ service sas-viya-httpproxy-default restart El fichero vars.yml no es preciso modificarlo: $ vi /sas/install/sas_viya_playbook/vars.yml Lanzamos la distribución y todo sale correcto: $ cd /sas/install/sas_viya_playbook/ $ ansible-playbook -i inventory.ini ./utility/distribute-httpd-certs.yml Visualizamos que los ficheros se han modificado: $ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts El fichero ssl.conf no es necesario modificarlo $ cd /etc/httpd/ssl.conf $ vi ssl.conf Dentro del fichero se encuentra el crt nuevo generado: $ cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem > /root/salidatrustedcertspem.log Se corresponde con el generado en /etc/pki/tls/certs/localhost.crt: $ cat /etc/pki/tls/certs/localhost.crt Ejecutamos la comprobación: $ openssl x509 -in /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem -text -noout Se ha copiado el crt y key a las siguientes rutas (Place the new CA certificates): $ cp /etc/pki/tls/certs/localhost.crt /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/ $ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts $ chown sas:sas /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/localhost.crt $ cp /etc/pki/tls/certs/localhost.crt /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tls/certs/ $ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tls/certs $ chown sas:sas /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tls/certs/localhost.crt $ cp /etc/pki/tls/private/localhost.key /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/ $ chown sas:sas /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/localhost.key $ chmod 600 /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/localhost.key $ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private Respecto a /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.jks, visualizamos que es correcto: $ keytool -v -list -keystore /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.jks -storepass changeit -keypass password > /root/salidatrustedcertsjks.log Reconstruimos los certificados: $ cd /sas/install/sas_viya_playbook/ $ sudo ansible-playbook -i inventory.ini ./utility/rebuild-trust-stores.yml Reiniciamos los servicios: $ service sas-viya-all-services stop $ service sas-viya-all-services start $ service sas-viya-all-services status Why are the services not reading the new certificate? Thank you very much
... View more