How to install a “Letsencrypt.org” SSL cert on Aspera On Demand

Summary

This article provides instructions on how to obtain and install an SSL certificate for use by the asperanoded service on your Aspera Application Platform, or Transfer cluster.

Prerequisites

  • You have successfully provisioned APOD or a transfer cluster
  • The DNS must be working properly
    • For Clusters, the DNS is managed by ATCM
    • For APOD, you need a public DNS
  • For ATCM: You are logged into the node that the DNS points to (more information below) and your cluster is configured to Min Idle nodes 1
  • Port 80 must be open (more information below)

I. Create SSL certificate

1. Boot your cluster/node and log in

2. Download Let's Encrypt utilities

Background information is available here: https://letsencrypt.org/getting-started/

The Certbot can be found here: https://certbot.eff.org/

Run the following commands:

# sudo yum install epel-release
# sudo yum install certbot

You should see the RPM packages downloaded and installed.

3. Run the certbot utility to create the SSL cert

Run the cert bot command (this will also launch a simple app):

# certbot certonly --webroot -w /usr/share/nginx/html/ -d DNS-NAME -m EMAIL-ADDRESS --agree-tos

Review the output: (example provided below for reference):

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/DNS-NAME/fullchain.pem. Your
cert will expire on 2016-09-29. To obtain a new or tweaked version
of this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot Renew"

4. Append a root cert to the fullchain.pem

Download the root certificate and copy it to a file at /tmp/root.cert

Add the appropriate ------BEGIN------ and -----END----- lines to the root cert, so it looks like this:

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

Next copy the fullchain.pem to /tmp (make the appropriate substitution for your cluster DNS), and then append the root cert to the full chain:

# cp /etc/letsencrypt/live/CLUSTER-DNS-NAME/fullchain.pem /tmp/
# cat /tmp/root.cert >> /tmp/fullchain.pem

II. Install the SSL key and certificate

For ATCM, use the Cluster Manager UI. For APOD, see nginx.conf for details.

Process for ATCM

You will be installing fullchain.pem and privkey.pem via the Cluster Manager UI.

  1. Log into Cluster manager
  2. Select your cluster, and see that the configuration menu options appear below.
  3. Click on SSL.
  4. Click the Edit button.
  5. Paste the /etc/letsencrypt/live/CLUSTER-DNS-NAME/privkey.pem into the Private Key box.
  6. Paste /tmp/fullchain.pem into the Certificate box.
  7. Click Save Changes
  8. Monitor deployment of SSL certs.

Navigate to the Monitor Nodes page of your cluster. Monitor the Event log, and confirm that new SSL certs are published to each node:

16:17:45 1 Lifecycle Manager INFO Updated local SSL private key file
16:17:45 1 Lifecycle Manager INFO Updated local SSL certificate file

Process for APOD

  1. On the APOD node, run the following commands:
    # cp /tmp/fullchain.pem /opt/aspera/etc/aspera_server_cert.pem
    # cp /etc/letsencrypt/live/CLUSTER-DNS-NAME/privkey.pem /opt/aspera/etc/aspera_server_key.pem
    # cat /opt/aspera/etc/aspera_server_key.pem >> /opt/aspera/etc/aspera_server_cert.pem
    # /etc/init.d/asperanoded restart
  2. Make a backup of existing keys (/opt/aspera/shares/etc/nginx/cert.*)
  3. Copy fullchain.pem to /opt/aspera/shares/etc/nginx/cert.pem
  4. Copy privkey.pem to cert.key (same location)
  5. Restart nginx via the Shares init script
    /etc/init.d/aspera-shares stop
    /etc/init.d/aspera-shares start

III. Verify your certificates

Point your browser to your cluster and view the cert details.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk