HPE Community
HPE Morpheus Enterprise
1848214 Members
7129 Online
104022 Solutions
New Discussion

Re: 3node HA SSL configuration

 
SOLVED
Go to solution
Ibrahim-GCC
Regular Advisor

‎09-12-2023 01:21 AM

‎09-12-2023 01:21 AM

3node HA SSL configuration

Hi Team,
We have tried to configure the 3node HA and point out Load Balancer url in morpheus.rb. if we want to replace the SSL certificate which is generated outside and it’s pointing out the LB FQDN in certificate then what are all the steps we need to follow. Currently we are having the pfx file and perform the below commands but still getting the not secure error while access the url.

openssl pkcs12 -in your_cert.pfx -clcerts -nokeys -out server.crt

openssl pkcs12 -in your_cert.pfx -nocerts -nodes -out server.key

nginx[‘ssl_certificate’] = ‘ca.crt’
nginx[‘ssl_server_key’] = ‘priv.key’

morpheus-ctl reconfigure.
morpheus-ctl restart nginx

0 Kudos
Reply
11 REPLIES 11
Not applicable

‎02-07-2024 01:33 AM

‎02-07-2024 01:33 AM

Re: 3node HA SSL configuration

It seems like you’re trying to replace the SSL certificate for a 3-node HA setup with a certificate generated outside of your system.
The steps you’ve provided involve converting the pfx file to separate certificate and key files and then configuring Morpheus with these files.
Here are some things to look into if you’re still receiving a “not secure” error:

Location of Certificate Files: Verify that Morpheus can access the “ca.crt” and “priv.key” files and that they are in the proper place. Make sure the files are in the directories specified in your nginx setup by checking them.
File Permissions: Verify that the Morpheus process is authorized to read key files and certificates. It can be a good idea to verify and adjust the file permissions.
Certificate Chain: Ensure that your ‘ca.crt’ contains the entire certificate chain, which including any intermediate certificates. Browsers may flag a certificate as unsafe if the whole chain is not provided.
LB FQDN: Confirm that the Load Balancer FQDN in the certificate matches the one specified in your Morpheus system. Mismatched domains might generate security warnings.
Nginx Configuration: Check the Nginx configuration again. Make sure you’re using the right file names for the certificate and key in the ‘nginx[‘ssl_certificate’]’ and ‘nginx[‘ssl_server_key’]’ options.
SSL Configurations: Check your Morpheus system for any special SSL-related configurations that may be impacting the SSL handshake.
After making any changes, run’morpheus-ctl reconfigure’ again and restart Nginx with’morpheus-ctl restart nginx’ to apply them.
If the problem remains, check the Nginx or Morpheus logs for any error messages or cautions about SSL setup.
If the problem persists, please provide any additional information or error messages, and I will do my best to assist you.

To know more about SSL Handshake check CheapSSLshop’s Blog: >>> https:// www. cheapsslshop .com / blog/how-to-fix-ssl-handshake-failed-error-code-525

0 Kudos
Reply
Ryan2025
Frequent Advisor

‎09-14-2023 07:16 PM

‎09-14-2023 07:16 PM

Re: 3node HA SSL configuration

Hi @kgawronski ,

thank you for your suggestion and as your doubt, this cert is from LB. after applying the right cert to LB, it is solved.

Thank you.

Reply
Ryan2025
Frequent Advisor

‎09-12-2023 09:27 AM

‎09-12-2023 09:27 AM

Re: 3node HA SSL configuration

Hello @kgawronski ,

thank you for your response. we are following the same steps to apply the ssl certificate in Morpheus VM. The nginx can be started normally and we didn’t see any error in /var/log/morpheus/nginx/current.

However, when we access the Morpheus url from Chrome, it is showing not certificate is not valid as follow:

c8a455b3c9d3787d91aa2e11721873a953a6e15e.png

Any idea about this?

0 Kudos
Reply
Not applicable

‎03-04-2024 09:33 AM

‎03-04-2024 09:33 AM

Re: 3node HA SSL configuration

To replace the SSL certificate in your configuration with the new certificate generated outside and ensure that it points to the load balancer FQDN, follow these steps:

  1. Convert the PFX file to PEM format:
    To convert your PFX file to PEM format—which includes the certificate and private key—use the following command:

openssl pkcs12 -in your_cert.pfx -out server.pem -nodes
example for more information: www. ssl2buy .com /wiki/ssl-converter

  1. Split the PEM file into separate certificate and key files:

openssl rsa -in server.pem -out server.key
openssl x509 -in server.pem -out server.crt

  1. Replace the SSL certificate and key in your configuration:

The locations to the new certificate and key files should be updated in the morpheus.rb configuration file’s nginx[‘ssl_certificate’] and nginx[‘ssl_server_key’] directives:

nginx[‘ssl_certificate’] = ‘/path/to/server.crt’
nginx[‘ssl_server_key’] = ‘/path/to/server.key’

  1. Reconfigure and restart Morpheus:

Execute the subsequent commands to restart and reconfigure Morpheus after making changes to the configuration file:

morpheus-ctl reconfigure
morpheus-ctl restart nginx

Your Morpheus instance ought to be using the new SSL certificate once you’ve finished these steps. Make sure the load balancer’s FQDN is accurately mentioned in the certificate and that the certificate chain is set up correctly.

0 Kudos
Reply
KoreyG
HPE Pro

‎09-12-2023 09:57 AM

‎09-12-2023 09:57 AM

Re: 3node HA SSL configuration

@yingshuang, I’d try restarting the morpheus-ui service, I’ve seen on occasion it being needed.

:exclamation: Morpheus will be unavailable while you restart the service on that node. You can roll through the environment restarting the service once the previous one has finished, if your load balancer is working, just not secure yet.

To restart the Morpheus UI service, run the following command:
morpheus-ctl restart morpheus-ui

You can watch the startup of the service logs using the below command. Although, I don’t think you’ll see anything related to this in them as it starts, just more to monitor:
morpheus-ui tail morpheus-ui

0 Kudos
Reply
KoreyG
HPE Pro

‎09-12-2023 11:42 AM

‎09-12-2023 11:42 AM

Solution

Re: 3node HA SSL configuration

@yingshuang I’m thinking the certificate you are seeing is from your load balancer or somewhere else. The default self-signed certificate Morpheus generates looks like this:
2fa3c21ab2b2243f7f8eff2b40a7915b4c05b57d.png

Either the certificate is not coming from the Morpheus node or, if it is, then that might be what the certificate was configured with. If that is what the certificate is configured with, it looks to be missing the CN as a DNS name and probably also the SANs as well. The date on the certificate says it was generated 2 days ago, so the SSL cert is probably working correctly just the certificate itself has not been configured properly would be my thoughts.

If you continue to have issue, I’d recommend opening a support case. It will allow for easier troubleshooting.

Reply
cbunge
HPE Pro

‎09-12-2023 04:34 AM

‎09-12-2023 04:34 AM

Re: 3node HA SSL configuration

Are you terminating SSL at the LB or at the FE nodes?

0 Kudos
Reply
cbunge
HPE Pro

‎09-12-2023 11:24 AM

‎09-12-2023 11:24 AM

Re: 3node HA SSL configuration

Did you restart nginx per our documentation? Nginx needs to restart as well as the morpheus-ctl reconfigure

0 Kudos
Reply
KoreyG
HPE Pro

‎09-12-2023 08:42 AM

‎09-12-2023 08:42 AM

Re: 3node HA SSL configuration

Hello @yingshuang,

To @cbunge’s point, some users will decide to put the certificate on their load balancer only, leaving the self-signed certificate on Morpheus. This sill keeps it secure but removes some of the administrative burden. However, some organizations require the certificate to be on the appliances as well or they don’t use the certificate on their load balancer. If implementing on the appliances, here is some additional information.

nginx['ssl_certificate']

  • Should point to the entire chain. This file should include, the CA, Intermediates, and the public certificate. There have been times I’ve not been provided the entire chain.
  • Sometimes the provider of a certificate might also give you a “bundled” certificate that contains them all, to make it easier.
  • It is important to place them in the correct order in the file as well. Review the Creating a .pem with the Entire SSL Certificate Trust Chain example for more information:
    https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

nginx['ssl_server_key']

  • Should point to your private key only
  • The file should begin with -----BEGIN PRIVATE KEY-----

Once you have them in place and in your morpheus.rb file, do the following:

morpheus-ctl reconfigure
morpheus-ctl restart nginx

You can review errors in the nginx log, which will give you an indications of any issue, such as a certificate mismatch, permissions to the file, password is on it, etc.

Command to view the log in real time:
morpheus-ctl tail nginx

Location of the log if you need to review it more closely:
/var/log/morpheus/nginx/current

More information:
SSL Certificates Documentation
Load Balancer Configuration Documentation

Hope that helps!

Reply
Ryan2025
Frequent Advisor

‎09-12-2023 08:08 AM

‎09-12-2023 08:08 AM

Re: 3node HA SSL configuration

Hi @cbunge ,

Sorry not quite sure about the meaning for “FE nodes”, but we implementing the ssl certificate at Morpheus VM nodes.

Btw, the customer providing us the .pfx file and we are following below guide to extracting private key and certificate. Should we use pub.crt or ca.crt as nginx[‘ssl_certificate’] ?

Extract the private key

openssl pkcs12 -in example.pfx -nocerts -nodes -out priv.key

Extract the public key

openssl pkcs12 -in example.pfx -clcerts -nokeys -out pub.crt

Extract the CA cert chain

openssl pkcs12 -in example.pfx -cacerts -nokeys -chain -out ca.crt

0 Kudos
Reply
Ryan2025
Frequent Advisor

‎09-12-2023 10:52 AM

‎09-12-2023 10:52 AM

Re: 3node HA SSL configuration

Hi @kgawronski ,

Yes, we restarted Morpheus-ui service and it is running properly. after restarting Morpheus-ui, we could access the Morpheus portal, but it is still showing not valid certificate as follow:

c8a455b3c9d3787d91aa2e11721873a953a6e15e.png

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.