SSL Certificate import

10 posts / 0 new
Last post
Technogenus
Technogenus's picture
Offline
Last seen: 1 year 8 months ago
Joined: 06/28/2015 - 02:20
Posts: 3
SSL Certificate import

Has anyone been able to import their own SSL certificates into Zenoss core 5? We assume NGINX is handling the web response proxy'd back to the zenoss ZOPE container - but cannot find the NGINX container and relevant config files. Is NGINX contained in zproxy?

Has anyone been able to import their SSL certs into Zenoss Core 5 who might be able to offer some suggestions?

WackyJacky
WackyJacky's picture
Offline
Last seen: 1 year 8 months ago
Joined: 07/08/2015 - 09:17
Posts: 7
Yes NGINX does appear to be

Yes NGINX does appear to be in zproxy. I was able to edit the Zproxy container through CC UI to enable TLS but Zenoss cannot see the certificates outside of its container. I read that for docker containers may be able to view folders if mounted a specific way?

Jan.garaj
Jan.garaj's picture
Offline
Last seen: 2 months 3 weeks ago
Joined: 04/20/2014 - 16:23
Posts: 431
Actually it's:

Actually it's:
serviced (control center) -> zproxy (nginx) -> zope

Try to setup serviced first - http://controlcenter.io/docs/topics/config-defaults.html:
SERVICED_KEY_FILE
SERVICED_CERT_FILE

WackyJacky
WackyJacky's picture
Offline
Last seen: 1 year 8 months ago
Joined: 07/08/2015 - 09:17
Posts: 7
I'm a bit confused so from

I'm a bit confused so from the Control Center UI i went to Zproxy (nginx) aka "/opt/zenoss/zproxy/conf/zproxy-nginx.conf" to do my edits. I don't see any Zope option in there.. do you mean I have to edit my zope as well? Or do you mean go to the backend of CC and go to Zproxy -->zope.. I couldn't find that option in the backend

Rcocchiararo
Rcocchiararo's picture
Offline
Last seen: 1 year 4 months ago
Joined: 03/26/2015 - 16:00
Posts: 72
Is there documentation to do

Is there documentation to do this by now?

I was asked to do it for our install, but googling arround brought me no further than this thread T_T

EDIT:
Now i found that i have to edit /etc/default/serviced

# Set the TLS keyfile
# SERVICED_KEY_FILE=/etc/....

# Set the TLS certfile
# SERVICED_CERT_FILE=/etc/....

I am waiting for the files now, but i am also having trouble cause i was asked to change the hostname of the server.

Gamgee
Gamgee's picture
Offline
Last seen: 1 month 3 weeks ago
Joined: 06/10/2015 - 22:26
Posts: 8
I think this was a bug in

I think this was a bug in versions earlier than 5.0.5 where the certificate settings in /etc/default/serviced where not honored.

We're running 5.0.6 and have been able to successfully specify a cert/key pair for Control Center/Zenoss using the settings in this file.

Rcocchiararo
Rcocchiararo's picture
Offline
Last seen: 1 year 4 months ago
Joined: 03/26/2015 - 16:00
Posts: 72
I finally got my certificates

I finally got my certificates, and configured the /etc/default/serviced file.

Control Center is now happy with it's certificate, but zenoss is not (or more correctly, the browser is happy in CC but not in zenoss).

The certificate was made for the FQDN of the server, i believe the virtual hosts were not mentioned.

Is there any special way to make the certificate request so that it will work in virtual hosts?

Jan.garaj
Jan.garaj's picture
Offline
Last seen: 2 months 3 weeks ago
Joined: 04/20/2014 - 16:23
Posts: 431
Try to use wildcard

Try to use wildcard certificate and it should work with all your current and future vhosts.

Bschimm
Bschimm's picture
Offline
Last seen: 6 hours 52 min ago
Joined: 11/20/2015 - 11:54
Posts: 65
Bumping this because I am

Bumping this because I am having the same issue as Rcocchiararo, except I am using a wildcard cert.

My borwser is happy with https://[hostFQDN]. My browser is complaining about a bad cert domain for https://zenoss5.[host FQDN]

Bschimm
Bschimm's picture
Offline
Last seen: 6 hours 52 min ago
Joined: 11/20/2015 - 11:54
Posts: 65
Since it's seen as a

Since it's seen as a subdomain, it's not going to work. I didn't want to deal with installing the cert elsewhere outside of serviced. I ended up directing Control Center to port 8080 and then creating a new endpoint for Zenoss.core that points to port 443. Now my cert is "working".

That being said, does anyone know where to change the redirect for port 80? I'd like to redirect to zenoss.core rather than control center.

Log in to post comments