Replaced SSL-certificate -> accepted, but not used

[ejgh-oe]

Version

2.4.40

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

500

Storage for /nsm

500

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,
In order to get rid of the browser complaining about "untrusted SSL certificate", I tried to replace the default cert with a Cert from our internal CA following the guidelines under https://docs.securityonion.net/en/2.4/nginx.html#replacing-default-cert
Uploading both the .CRT and and the Key file went OK (no errors displayed).
When I tried accessing the GUI after a couple of minutes while having closed and reopened my browser beforehand still the same default cert was used. I even tried "so-nginx-restart" as well as rebooting the manager node - didn't change a thing; still the default cert.

Any ideas as to why SO (i.e. nginx behind) accepted the custom cert, but doesn't use it?

Thanks much in advance for your help.
-ewald

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[petiepooo]

I'm not sure if Salt monitors for changes to the cert file. Try running sudo so-nginx-restart at the bash prompt...

[ejgh-oe]

Hi,
As mentioned above in my original post, I already tried restarting nginx and even rebooted the manager node - still came up with the old (default) cert.
Ruling out any browser issues I issued a openssl s_client -connect manager-node:443 - it's definitely the default cert.

BTW, the config via the GUI shows the correct cert.

[petiepooo]

i missed that; sorry. I'm out of ideas.

[cm-ops]

If you run salt-call pillar.get nginx, do you see your cert and key with replace default cert set to true?

[ejgh-oe]

Yes, absolutely - the files in /etc/pki are exactly the same contentwise as the ones I uploaded via the GUI.

# ls -l managerssl.*
-rw-r--r--. 1 root root   2142 Jan 24 09:17 managerssl.crt
-rw-r-----. 1 root socore 3246 Jan 24 09:17 managerssl.key
#

[cm-ops]

That all looks correct then, compare /etc/pki/managerssl.* against what is in the container - docker exec -t so-nginx sh -c "ls -l /etc/pki/nginx/server/crt"

What does the cert show in the browser?

[ejgh-oe]

That all looks correct then, compare /etc/pki/managerssl.* against what is in the container - docker exec -t so-nginx sh -c "ls -l /etc/pki/nginx/server/crt"

# docker exec -t so-nginx sh -c "ls -l /etc/pki/nginx/server/crt"
ls: /etc/pki/nginx/server/crt: No such file or directory
#

I changed tha above command to read docker exec -t so-nginx sh -c "ls -l /etc/pki/nginx"
and got

# docker exec -t so-nginx sh -c "ls -l /etc/pki/nginx"
total 8
-rw-r--r--    1 root     root          2142 Jan 24 09:17 server.crt
-rw-r-----    1 root     939           3246 Jan 24 09:17 server.key
#

which are the same files as the ones under /etc/pki/managerssl.* (see my previous posting)

What does the cert show in the browser?

It's the default-Cert that comes with SO

("onion-mgr" is the name of the machine (manager-node)).

[cm-ops]

Have you tried to revert to default, run so-checkin and restart nginx, and add your custom .crt/.key, and run so-checkin then restart nginx container?

[ejgh-oe]

Just reverted everything to default in the GUI, i.e.

and deleted the custom cert & key:

so-checkin ran for a while and ended with

...
Summary for local
--------------
Succeeded: 691 (changed=39)
Failed:      0
--------------
Total states run:     691
Total run time:    61.796 s
#

Connected to the GUI again - as expected default certificate.

Next I uploaded both, cert and key via the GUI again and set "Replace Default Cert" to true again. Re-ran so-checkin which ended with

...
Summary for local
--------------
Succeeded: 690 (changed=42)
Failed:      0
--------------
Total states run:     690
Total run time:    78.814 s
#

...but again, my custom certificate didn't get picked up:

PS: Please note that this "custom certificate" is the same I had on my previous (2.3) installation of SO; also the machine name is the same.

[ejgh-oe]

Just to close this question: In the end I re-issued the Cert, included the new one in the SO-config and now it's working :-)