When adding an Enterprise Server node with signed certificates as file storage in Faspex, checking the Verify SSL Certificate option results in a failure to add the node, and the error:
Not Pingable SSL error.
This error is most likely due to Faspex being unable to find the location of the certificate. A future release of Faspex will allow users to configure the location of a signed SSL certificate. In the meantime you can employ the resolution below.
- Operating System: Linux
- Product: Faspex
- Product Version: 4.0.1 and below
1. Run this command to output the paths of the SSL certificate file and directory:
/opt/aspera/common/ruby/bin/ruby -e 'require "openssl"; puts OpenSSL::OPENSSL_VERSION; puts "SSL_CERT_FILE: %s" % OpenSSL::X509::DEFAULT_CERT_FILE; puts "SSL_CERT_DIR: %s" % OpenSSL::X509::DEFAULT_CERT_DIR'
The output of the command will be in a format similar to the following (though the paths on your system will be different):
OpenSSL 1.0.1j 15 Oct 2014 SSL_CERT_FILE: /aspera/build/.tmp/builder/3_98407_3260/linux-64/result/BUILD/linux-64-release/ssl/cert.pem SSL_CERT_DIR: /aspera/build/.tmp/builder/3_98407_3260/linux-64/result/BUILD/linux-64-release/ssl/certs
2. Create the file path that was output from the command you ran in Step 1 on your Faspex server, then create a symlink for the
ca-bundle.crt file with the following commands:
# mkdir /opt/aspera/faspex/ssl
# chown faspex:faspex /opt/aspera/faspex/ssl/
# ln -s /etc/ssl/certs/ca-bundle.crt /opt/aspera/faspex/ssl/cert.pem
# chown -h faspex:faspex /opt/aspera/faspex/ssl/cert.pem
# mkdir -p /aspera/build/.tmp/builder/3_98407_3260/linux-64/result/BUILD/linux-64-release
# ln -s /opt/aspera/faspex/ssl /aspera/build/.tmp/builder/3_98407_3260/linux-64/result/BUILD/linux-64-release
3. Create the signed cert, key, and chain file on the node if this hasn't been done yet.
4. For the CA that certified your Faspex nodes, obtain the root certificate and add it to your Faspex server.
ca-certificates package and enable the dynamic CA configuration feature:
# yum install ca-certificates
# update-ca-trust force-enable
Add this as a new file:
# cp foo.crt /etc/pki/ca-trust/source/anchors/
Run the following command to finish:
# update-ca-trust extract