Quick to-do for updating Docker web with commercial certifications - Cook Book

Easy to remember, it can already be read in many places


the creation of a csr for the creation of the commercial cert  for a wildcard
openssl req -new -nodes -keyout my.key -out my.csr -newkey rsa:xxxx

Generating a RSA private key
.....................+++++
........+++++
writing new private key to 'my.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:FL
Locality Name (eg, city) []:Orlando
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:IT-Service
Common Name (e.g. server FQDN or YOUR name) []:*.mydomain.com ----> Attention realy *,mydomain.com for the wildcard
Email Address []:postmaster@mydomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mypass
An optional company name []:MyCompany Ltd

check whether the csr is in order

openssl req -text -noout -verify -in my.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, ST = FL, L = Orlando, O = MyCompany, OU = IT-Service, CN = *.mydomain.com, emailAddress = postmaster@mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b8:58:d3:c9:5e:18:8c:b9:ae:09:5a:d8:90:93:
                    44:df:0e:b3:5b:c4:f2:cf:46:52:a4:80:10:ac:7e:
                    f9:ca:d5:c6:5e:6d:16:0a:b6:c0:2c:57:5c:77:81:
                    0e:87:34:48:c7:85:41:20:bd:5a:2c:b3:ee:80:0b:
                    d8:b7:23:e3:7c:1f:a1:30:cb:f4:7b:d0:7e:ee:b1:
                    b4:a3:cf:cd:cf:e6:bd:4a:d2:78:c2:ce:d7:1a:a4:
                    3a:ff:65:3f:e3:5c:fc:3c:7c:da:f0:43:8b:a5:db:
                    13:a7:9c:45:7a:5b:c5:c6:e1:3d:5b:be:0a:d8:75:
                    a5:3d:98:90:2a:62:8d:c4:6b:62:04:a2:8d:a2:01:
                    c5:dd:cb:f2:fe:b3:1e:24:80:df:fb:2d:8b:06:cb:
                    39:1d:65:80:ba:1d:bc:a6:9f:d0:fc:39:f5:49:a5:
                    02:f1:1e:4e:05:4d:a8:fc:dd:e7:67:e2:3e:bf:f0:
                    e3:84:1a:1f:6d:a8:6a:1b:53:6c:4f:5e:56:99:4e:
                    b2:a6:47:cc:06:cc:57:a9:bd:79:19:d5:ab:2a:ae:
                    9f:32:6f:1a:31:74:21:9f:77:bd:af:4e:25:88:46:
                    8b:f7:97:62:67:6a:ec:2b:be:76:70:7b:65:b6:9d:
                    03:df:fb:40:c3:a7:60:2e:1a:87:45:f7:42:0a:8d:
                    52:63
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :mypass
            unstructuredName         :MyCompany Ltd
    Signature Algorithm: sha256WithRSAEncryption
         60:85:41:1a:1a:34:58:02:79:b7:8e:bd:5d:c7:e9:e5:6e:fc:
         e0:68:b3:72:9c:3a:61:92:a9:c0:74:1f:52:6d:d8:f4:c4:e6:
         9b:c2:0e:46:68:bd:53:3f:71:ac:d3:bc:c1:93:89:62:4a:dd:
         b6:e1:2e:5a:ac:7b:bb:3f:05:9c:7b:2b:06:3a:c3:b0:bc:85:
         85:84:ea:f5:83:5f:3a:ec:40:f1:91:cf:15:1d:15:f2:c2:17:
         fc:8f:bc:13:f6:3c:42:78:7e:05:b0:12:74:48:92:ab:86:5a:
         57:d5:58:8f:9d:79:a2:cb:bd:f6:a2:05:1f:a8:6c:f7:b1:80:
         5c:df:e2:db:b3:f0:4d:79:c2:44:8a:cd:e5:b6:51:25:32:ae:
         aa:5d:85:c8:b6:ac:46:47:d0:cf:56:56:a4:7f:77:88:d4:c4:
         82:08:ad:b0:3d:7e:ae:14:98:e2:a3:6a:9a:77:40:3c:b0:d3:
         c6:1b:55:3a:c5:8b:99:d7:bc:96:be:33:07:4b:7c:ec:d0:1d:
         53:65:3b:4c:26:a2:08:92:b5:e5:12:67:7c:fe:3a:d6:e4:17:
         c3:09:b2:68:dc:93:d2:34:67:8d:86:4d:36:20:99:e9:ba:fe:
         72:c1:1f:41:b6:d6:64:0a:c2:38:de:30:ba:8c:ea:70:fe:08:
         f5:0c:7b:2f

The wildcard cert can then be requested from the provider with the csr. In principle, the same procedure can be used for lets encrypt with the csr

We continue with

1. ) Step
in to the commercial certificate, here xxxx.crt depending on the requirements
pack the Intermediate_CA_Bundle.crt and the root.crt with cat into the file server.crt

cat my.crt Intermediate_CA_Bundle.crt > server.crt

2) Step 2 remove the password from the key --> if it is ever needed, remove the key from a keyfile

openssl rsa -in my.key -out my_deencrypted.key


the key file and the cert file for the Wildcard and the Intermediate_CA_Bundle.crt and the root.cert will be provided to the provider, please keep them safe.


copy server.key and server.crt to /opt/novell/gw/certs

docker exec gwweb bash -c “/update/update-certs.sh” execute

docker exec gwweb bash -c "/update/update-certs.sh"
update-certs.sh: Running update script...
/etc/nginx/gw/poas.conf exists.
Requesting certificate of myserver.com:7191 server
/etc/nginx/gw/dvas.conf exists.
Requesting certificate myserver.com:8301 server
/etc/nginx/gw/smg.conf exists.
Requesting certificate of localhost:443 server
Copying /etc/nginx/gw/smgca.crt file
Copying /etc/nginx/gw/ca.crt file
Upstream servers certificates are available. Updating the CA...
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
update-certs.sh: Update script completed

it is possible that when using wildcard certificates, error messages such as nginx: [emerg] host not found in upstream “myserver:7191” appear in /etc/nginx/gw/web.conf:1. This is due to the cn in the wildcard which is *.mydomain.com



“You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei

Parents Reply Children
No Data