Skip to main content

SSL certs for Cloud Exchange using Let’s Encrypt


Requirements



  • CloudExchange and underling Ubuntu server running

  • Domain url already setup

    Setup steps



    1. Domain and DNS setup

    2. Install Certbot

    3. Run Certbot to generate certificates

    4. Install certificates for Cloud Exchange to use

      Domain and DNS setup


      I get that this part might not be needed so if you already know how to setup DNS, skip down to the Certbot section. Buying the domain is super easy and you just select “get a new domain” in Google Domains so I won’t cover that. Of course you can use any service to buy your domain. 


       


      DNS - I went to domains.google.com > DNS and created my A record to point to my Cloud Exchange Ubuntu server that is running in AWS.  


       


















      Host name



      Type



      TTL



      Data



      demo1-netskope.com



      A



      1 hour



      35.165.210.194








Now I can get to my Cloud Exchange with the url instead of the IP address but as you see I have a certificate error because I am using a self signed certificate. That is where Certbot comes in.


 



Install Certbot


SSH to your Ubuntu server and run the following command. 



  • sudo apt-get -y install certbot


 


Run Certbot to generate certificates


In order to run Certbot you will need to be a root user. So either su or run with sudo. 


Note: before running the below you will need to stop Cloud Exchange if it is already running. To do this go into ~/netskope/ta_cloud_exchange and run ./stop



  • sudo certbot certonly --standalone --rsa-key-size 2048 --key-type rsa


Well that didn’t work. In the error message below you will see that Certbot needs port 80. I didn’t/don’t have that allowed to my AWS EC2 instance.



Once I added port 80 to AWS I was able to run the command and get my certificate downloaded. In the message it tells you where it placed the two certificates that you need for Cloud Exchange. 



  • Certificate is saved at: /etc/letsencrypt/live/demo1-netskope.com/fullchain.pem

  • Key is saved at:         /etc/letsencrypt/live/demo1-netskope.com/privkey.pem


 



Install certificates for Cloud Exchange to use


Move into your Cloud Exchange data directory ~/netskope/ta_cloud_exchange/data. You will see two cert folders. The ca_certs folder is for certificates used when talking to on-prem servers that require a SSL certificate to authenticate. The one we want is ssl_certs



Move your newly minted let’s encrypt certs into the ssl_certs folder. In order to get into the ssl_certs directory you will need to be a root user. Use the following command. 



  • sudo -s


The two files that you will need to replace are cte_cert.crt (w/ fullchain.pem) and cte_cert_key.key (w/ privkey.pem).



Use the following command to do that. As you can see from the command I used, I am still in the folder ~/netskope/ta_cloud_exchange/data/ssl_certs. 


 


Note: you will need to replace demo1-netskope.com with your path. 



  • cp /etc/letsencrypt/live/demo1-netskope.com/fullchain.pem fullchain.pem

  • cp /etc/letsencrypt/live/demo1-netskope.com/privkey.pem privkey.pem


Remove the Cloud Exchange default cte_cert.crt and cte_cert_key.key files from the ssl_certs directory. 



  • rm cte_cert.crt

  • rm cte_cert_key.key


Change the name of the newly copied files to the names that Cloud Exchange will be looking for. 



  • mv fullchain.pem cte_cert.crt

  • mv privkey.pem cte_cert_key.key


The certs won’t have the correct permissions so the last step before the reboot is to change them.



  • chmod 666 cte_cert.crt

  • chmod 666 cte_cert_key.key


Reboot the system with 



  • sudo reboot


Long term issues


You might have already guessed it but once the cert expires in 90 days you will need to redo coping the certs into this new location. I will update this post once I figure out the cron job steps to do that automatically. 


 


 


 


 

Be the first to reply!

Reply