Clarify adminconsole certs #2754
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,7 +17,7 @@ In these instructions, we show you how you can download the security certificate | |
| You can change the certificates for the following ECE components separately: | ||
|
|
||
| Cloud UI certificate | ||
| : Used to connect securely to the Cloud UI. | ||
|
|
||
| Proxy certificate | ||
| : Used to connect securely to {{es}} clusters and {{kib}}. You should use a wildcard certificate rooted at the [cluster endpoint that you set](../../deploy/cloud-enterprise/change-endpoint-urls.md) (`*.example.com`, for example). A wildcard certificate is required, because the first label of the DNS address is distinct for {{es}} clusters and {{kib}} (`bc898abb421843918ebc31a513169a.example.com`, for example). | ||
|
|
@@ -31,6 +31,9 @@ Proxy certificate | |
|
|
||
| After the certificates have been installed, connecting securely to {{es}}, {{kib}}, and the Cloud UI or making secure RESTful API calls to ECE should not result in any security warnings or errors. | ||
|
|
||
| Adminconsole certificate | ||
| : Used to connect securely to make RESTful API calls. | ||
|
|
||
|
|
||
|
|
||
| ## Before you begin [ece_before_you_begin_7] | ||
|
|
@@ -60,6 +63,19 @@ The PEM file should be structured like this: | |
|
|
||
| Each key and certificate would be generated by you or your IT team. | ||
|
|
||
| ::::{note} | ||
| {{ece}} expects to have private key start with a header of `-----BEGIN RSA PRIVATE KEY-----`. If your private key starts with a different header, for example, `-----BEGIN PRIVATE KEY-----` (no `RSA`), you will get error: | ||
kunisen marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ```json | ||
| { | ||
| "code" : "cert.invalid_cert_chain", | ||
| "message" : "Certificate chain was invalid [Invalid Entry: expected unencrypted rsa private key (is start of file corrupted?)]" | ||
| } | ||
| ``` | ||
|
|
||
| We recommend you to review your certificate generating tool related documentation for how to obtain the ECE expected hearder for your private key. For example, if you use OpenSSL to generate your private key, you can use `-traditional` option. | ||
kunisen marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| :::: | ||
|
|
||
|
|
||
| ## Get existing ECE security certificates [ece-existing-security-certificates] | ||
|
|
||
|
|
@@ -295,6 +311,36 @@ To add a proxy certificate from the command line: | |
| openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect HOSTNAME_OR_IP:9343 < /dev/zero | ||
| ``` | ||
|
|
||
| ## Add an Adminconsole certificate [ece-tls-adminconsole] | ||
|
|
||
| ::::{note} | ||
| In {{ece}}, this certificate is treated identically to the [Cloud UI certificate](#ece-tls-ui). You can use the same certificate bundle generated for Cloud UI. | ||
| :::: | ||
|
|
||
| To add an Adminconsole certificate from the Cloud UI: | ||
|
|
||
| 1. [Log into the Cloud UI](../../deploy/cloud-enterprise/log-into-cloud-ui.md). | ||
| 2. From the **Platform** menu, select **Settings**. | ||
| 3. Under **TLS settings** for the Adminconsole, choose **Upload new certificate** and select a concatenated file containing your RSA private key, server certificate, and CA certificate. Upload the selected file. | ||
|
|
||
| To get the details of the certificate you added, select **Show certificate chain**. | ||
|
|
||
| To add an Adminconsole certificate from the command line: | ||
|
|
||
| 1. Add the certificate for the Adminconsole to your {{ece}} installation, where `CA_CERTIFICATE_FILENAME` is the name of the CA certificate you downloaded earlier and `ADMINCONSOLE_PEM_FILENAME` is the name of the concatenated file containing your RSA private key, server certificate, and CA certificate: | ||
|
|
||
| ``` | ||
| curl --cacert CA_CERTIFICATE_FILENAME -H 'Content-Type: application/json' --data-binary @ADMINCONSOLE_PEM_FILENAME --user "admin:PASSWORD" "https://admin:12443/api/v1/platform/configuration/security/tls/adminconsole" | ||
| ``` | ||
|
|
||
| 2. Log out of the Cloud UI and log in again. | ||
| 3. Verify that you are now using the new certificate chain. There should be no security warnings when you connect to the Cloud UI over HTTPS in your web browser. | ||
|
||
|
|
||
| Alternatively, you can also check the certificate using the openssl command: | ||
|
|
||
| ``` | ||
| openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect containerhost:12343 < /dev/zero | ||
| ``` | ||
|
|
||
|
|
||
| ## Limitations [ece-tls-limitations] | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is right
The Cloud UI certificate is for API and UI calls
The Adminconsole certificate allow secure connection to an alternative API port that can be used in incidents scenario where the UI is down (very rare). We recommend re-using the UI certificate for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @AlexP-Elastic
Updated with the suggestion:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also @AlexP-Elastic I made the change according based on your 2nd comment - #2754 (comment) too:
(Hard to copy things out and mostly the screenshots is visibly evident enough...)