Error accessing SDN UI after browser update

panluowei — Fri, 17 Apr 2015 14:53:59 GMT

With the latest firefox and chrome browser updates, accessing the sdn ui fails with "ERR_SSL_VERSION_OR_CIPHER_MISMATCH".

Searching online I gathered that the browsers no longer support DSA public keys. I'm told

regenerating the certificate should fix this.

My question is how to regenerate the certificate for the VAN UI?

Thanks.

Re: Error accessing SDN UI after browser update

Gerhard Roets — Fri, 17 Apr 2015 16:58:12 GMT

The Certifacte signing requirements for a large portion of browsers has recentaly changed, and because of this the orignal self signed version for the SDN Controller conflicts with these browsers minimum requirements. Here is the procedure for manually generating a new self signed certificate.

Bold Italic text is commands

Bold is Important notes

I have indented sample output

The following needs to be done as root hence( I am assuming the account your are using does have sudo premissions for root)

sudo service sdnc stop

Then the following needs to be done as the user which the sdn controller controller runs as(The user is the user sdn by default), since the truststore and keystore must be readable by that user.

Hint to become the user sdn us the following “sudo su – sdn”.

cd /opt/sdn/admin

ls -l *store*

sdn@ubuntu:~/admin$ ls -l *store*

-rw-r----- 1 sdn sdn 1319 Mar 20 14:53 keystore

-rw-r----- 1 sdn sdn 913 Mar 20 14:53 truststore

Note the permissions and ownership of the files

Here we generate a self-signed certificate with a validity period of 1780 days, after moving the old keystore and truststore away.

Note you need to use the password “skyline” below unless you have changed it. I have added it in for clarity in the commands below but it will not show when it is typed.

Leave the password for the key the same as the keystore password.

mv keystore keystore.orig

mv truststore truststore.orig

keytool -genkey -alias serverKey -keyalg rsa -keysize 2048 -keystore keystore -validity 1780

sdn@ubuntu:~/admin$ keytool -genkey -alias serverKey -keyalg rsa -keysize 2048 -keystore keystore

Enter keystore password: skyline

Re-enter new password: skyline

What is your first and last name?

[Unknown]: 192.168.181.135

What is the name of your organizational unit?

[Unknown]: SDNCOE

What is the name of your organization?

[Unknown]: HP

What is the name of your City or Locality?

[Unknown]: Amstelveen

What is the name of your State or Province?

[Unknown]: Noord-Holland

What is the two-letter country code for this unit?

[Unknown]: NL

Is CN=192.168.181.135, OU=SDNCOE, O=HP, L=Amstelveen, ST=Noord-Holland, C=NL correct?

[no]: y

Enter key password for <serverKey>

(RETURN if same as keystore password): Just press enter here

sdn@ubuntu:~/admin$

keytool -exportcert -keystore keystore -alias serverKey -file serverkey.cer

sdn@ubuntu:~/admin$ keytool -exportcert -keystore keystore -alias serverKey -file serverkey.cer

Enter keystore password:

Certificate stored in file <serverkey.cer>

sdn@ubuntu:~/admin$

ls -ltr

sdn@ubuntu:~/admin$ ls -ltr

total 15728

-rwxr-x--- 1 sdn sdn 462 Jan 29 12:46 uninstall-dpkg

-rwxr-x--- 1 sdn sdn 486 Jan 29 12:46 startup.sh

-rwxr-x--- 1 sdn sdn 1453 Jan 29 12:46 sdnpass

<SNIP>

-rw-rw-r-- 1 sdn sdn 2257 Apr 9 01:51 keystore

-rw-rw-r-- 1 sdn sdn 1088 Apr 9 01:52 sdn-server.csr

-rw-rw-r-- 1 sdn sdn 903 Apr 9 02:06 serverkey.cer

Note you need to use the password “skyline” below unless you have changed it. I have added it in for clarity in the commands below but it will not show when it is typed.

keytool -importcert -trustcacerts -keystore truststore -file serverkey.cer -alias CARoot

sdn@ubuntu:~/admin$ keytool -importcert -trustcacerts -keystore truststore -file serverkey.cer -alias CARoot

Enter keystore password: skyline

Re-enter new password: skyline

Owner: CN=192.168.181.135, OU=SDNCOE, O=HP, L=Amstelveen, ST=Noord-Holland, C=NL

Issuer: CN=192.168.181.135, OU=SDNCOE, O=HP, L=Amstelveen, ST=Noord-Holland, C=NL

Serial number: 54a39e23

Valid from: Thu Apr 09 01:51:25 PDT 2015 until: Wed Jul 08 01:51:25 PDT 2015

Certificate fingerprints:

MD5: 44:02:D6:58:C5:2A:2D:B5:F3:64:9B:40:6D:9B:1D:10

SHA1: C7:59:89:31:9D:79:C9:D5:3A:22:D7:36:C7:43:2D:1B:88:5B:54:5E

SHA256: E9:5D:1E:06:02:25:17:3F:C4:D9:97:C4:28:27:E6:87:2F:BC:B4:C9:E1:47:17:57:FF:33:1B:23:86:41:A5:B0

Signature algorithm name: SHA256withRSA

Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 82 FD 72 7D 83 60 88 C0 DA 67 7D 6A 03 12 11 B7 ..r..`...g.j....

0010: 27 C7 EC D9 '...

]

Trust this certificate? [no]: yes

Certificate was added to keystore

sdn@ubuntu:~/admin$

As the user root hence, you might need to type “logout” here to switch to the account you usually log in which has sudo capbilities.

sudo service sdnc start

Kind Regards

Gerhard Roets

HP SDN COE Team

topic Error accessing SDN UI after browser update in Software Defined Networking

Error accessing SDN UI after browser update

Re: Error accessing SDN UI after browser update