Netskope Community
03-16-2023 11:45 AM
SSL certs for Cloud Exchange using Let’s Encrypt
I get that this part might not be needed so if you already know how to setup DNS, skip down to the Certbot section. Buying the domain is super easy and you just select “get a new domain” in Google Domains so I won’t cover that. Of course you can use any service to buy your domain.
DNS - I went to domains.google.com > DNS and created my A record to point to my Cloud Exchange Ubuntu server that is running in AWS.
Host name |
Type |
TTL |
Data |
A |
1 hour |
35.165.210.194 |
Now I can get to my Cloud Exchange with the url instead of the IP address but as you see I have a certificate error because I am using a self signed certificate. That is where Certbot comes in.
SSH to your Ubuntu server and run the following command.
Run Certbot to generate certificates
In order to run Certbot you will need to be a root user. So either su or run with sudo.
Note: before running the below you will need to stop Cloud Exchange if it is already running. To do this go into ~/netskope/ta_cloud_exchange and run ./stop
Well that didn’t work. In the error message below you will see that Certbot needs port 80. I didn’t/don’t have that allowed to my AWS EC2 instance.
Once I added port 80 to AWS I was able to run the command and get my certificate downloaded. In the message it tells you where it placed the two certificates that you need for Cloud Exchange.
Move into your Cloud Exchange data directory ~/netskope/ta_cloud_exchange/data. You will see two cert folders. The ca_certs folder is for certificates used when talking to on-prem servers that require a SSL certificate to authenticate. The one we want is ssl_certs
Move your newly minted let’s encrypt certs into the ssl_certs folder. In order to get into the ssl_certs directory you will need to be a root user. Use the following command.
The two files that you will need to replace are cte_cert.crt (w/ fullchain.pem) and cte_cert_key.key (w/ privkey.pem).
Use the following command to do that. As you can see from the command I used, I am still in the folder ~/netskope/ta_cloud_exchange/data/ssl_certs.
Note: you will need to replace demo1-netskope.com with your path.
Remove the Cloud Exchange default cte_cert.crt and cte_cert_key.key files from the ssl_certs directory.
Change the name of the newly copied files to the names that Cloud Exchange will be looking for.
The certs won’t have the correct permissions so the last step before the reboot is to change them.
Reboot the system with
Long term issues
You might have already guessed it but once the cert expires in 90 days you will need to redo coping the certs into this new location. I will update this post once I figure out the cron job steps to do that automatically.
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below
Sign In