error: "open /opt/so/saltstack/local/salt/nginx/ssl/ssl.crt: no such file or directory when trying to add cert in SOC

[fa1sepr0phet]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

other (please provide detail below)

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

16GB

Storage for /

293G

Storage for /nsm

5.8TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

No, nginx returns "missing"

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

When attempting to add my cert (or key) via the SOC interface, I instantaneously receive a message that the action failed and I immediately lose connection to the SOC. I am still able to log in via console, and running so-status I see that nginx is "missing". Checking the logs, I see an error ["open /](error: "open /opt/so/saltstack/local/salt/nginx/ssl/ssl.crt: no such file or directory). the web interface is then permanently unreachable until I revert the instance. I checked to see if /opt/so/saltstack/local/salt/nginx exists and it does not. Is the fix as simple as just creating the directory or do I have a bad install?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[fa1sepr0phet]

Update: I was able to create the directories and import the .crt and .key. However, the .crt file broke nginx. reading the logs in /opt/so/nginx/logs/error.log I see nginx was expecting "BEGIN TRUSTED CERTIFICATE". I opened the .crt in vi and edited the .crt to add the "TRUSTED" as it wasn't there before (the certificate was a .cer before). Now when I run so-status, nginx status is "Missing". Any ideas on how to get it restarted?

[cm-ops]

If you can reach SOC, administration > configuration > nginx > ssl > Replace Default Cert use the blue back arrow button in the replace cert box for nginx and synchronize grid. That will return it to default of false.

If you cannot reach SOC, do the below:
From the manager's CLI, run sudo salt-call pillar.get nginx if you see true for replace cert, edit the pillar file at /opt/so/saltstack/local/pillar/nginx/soc_nginx.sls and change the replace cert from true to false, then run sudo so-checkin.

Once it is back to default, try and place your custom cert/key again.

[fa1sepr0phet]

Thank you cm-ops. That did help to get back up and running and I have come up with a solution. I'll provide an answer below.

[fa1sepr0phet]

I was able to resolve this issue. I was attempting to add a chained certificate. nginx requires two absolutes when reading the certificate. first, the certificate must have -----BEGIN TRUSTED CERTIFICATE----- and -----END TRUSTED CERTIFICATE----- (my certs were being generated as -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) for each certificate in the chain. Second, the chained certificate must be in this order, from top to bottom:
Your certificate
Intermediate certificate
Root certificate
Otherwise, nginx will crash and you'll need to revert and try again. I hope this helps other people with adding chained certificates to their SO instances. It's working like a champ now!