Error when trying to enable SSL certificate verification on Faspex node

Issue

When adding an Enterprise Server node with signed certificates as file storage in Faspex, checking the Verify SSL Certificate option results in a failure to add the node, and the error: Not Pingable SSL error.

This error is most likely due to Faspex being unable to find the location of the certificate. A future release of Faspex will allow users to configure the location of a signed SSL certificate. In the meantime you can employ the resolution below.

  • Operating System: Linux
  • Product: Faspex
  • Product Version: 4.0.1 and below

Resolution

1. Run this command to output the paths of the SSL certificate file and directory:

/opt/aspera/common/ruby/bin/ruby -e 'require "openssl"; puts OpenSSL::OPENSSL_VERSION; puts "SSL_CERT_FILE: %s" % OpenSSL::X509::DEFAULT_CERT_FILE; puts "SSL_CERT_DIR: %s" % OpenSSL::X509::DEFAULT_CERT_DIR'

The output of the command will be in a format similar to the following (though the paths on your system will be different):

OpenSSL 1.0.1j 15 Oct 2014
SSL_CERT_FILE: /aspera/build/.tmp/builder/3_98407_3260/linux-64/result/BUILD/linux-64-release/ssl/cert.pem
SSL_CERT_DIR: /aspera/build/.tmp/builder/3_98407_3260/linux-64/result/BUILD/linux-64-release/ssl/certs

2. Create the file path that was output from the command you ran in Step 1 on your Faspex server, then create a symlink for the ca-bundle.crt file with the following commands:

# mkdir /opt/aspera/faspex/ssl
# chown faspex:faspex /opt/aspera/faspex/ssl/
# ln -s /etc/ssl/certs/ca-bundle.crt /opt/aspera/faspex/ssl/cert.pem
# chown -h faspex:faspex /opt/aspera/faspex/ssl/cert.pem
# mkdir -p /aspera/build/.tmp/builder/3_98407_3260/linux-64/result/BUILD/linux-64-release
# ln -s /opt/aspera/faspex/ssl /aspera/build/.tmp/builder/3_98407_3260/linux-64/result/BUILD/linux-64-release

3. Create the signed cert, key, and chain file on the node if this hasn't been done yet.

See this Knowledge Base article for further instructions on creating the certificate, key and chain file on an Enterprise Server.

4. For the CA that certified your Faspex nodes, obtain the root certificate and add it to your Faspex server.

Install the ca-certificates package and enable the dynamic CA configuration feature:

# yum install ca-certificates
# update-ca-trust force-enable

Add this as a new file:

# cp foo.crt /etc/pki/ca-trust/source/anchors/

Run the following command to finish:

# update-ca-trust extract


 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk