Trusting the Controller's Self Signed Cert on the Nodes

This section only applies to SwiftStack Controller On-Premises installations and is not relevant for SwiftStack customers using SwiftStack Controller As-a-Service.

To replace the automatically generated self signed certificate with one purchased from an authorized Certificate Authority, please see Generating and Applying SSL Certificates

SwiftStack does not endorse using a self signed certificate on production controllers, but in the event that your organization has decided that this is an acceptable risk, here are the instructions for configuring your nodes to successfully validate the controller's self signed cert.

Ubuntu

From the controller's shell, transfer the ssman.crt file to the Node(s):

$ scp /opt/ss/etc/ssman.crt root@node1.example.com:/usr/local/share/ca-certificates/

On the Node, log in as root and add the certificate by updating the Node's CA certificates:

$ update-ca-certificates

Note

if you've done all the above and the node still doesn't trust the controller's cert, run sudo c_rehash on the node and run sudo restart ssnoded.

RHEL / CentOS Linux

From the controller's shell, transfer the ssman.crt file to the Node(s):

$ scp /opt/ss/etc/ssman.crt root@node1.example.com:/etc/pki/ca-trust/source/anchors

On the Node, log in as root and add the certificate by updating the Node's CA certificates:

$ update-ca-trust extract

Note

if you've done all the above and the node still doesn't trust the controller's cert, run sudo systemctl restart ssnoded.

Test It

The curl utility uses the same strong SSL certificate validation that the SwiftStaqck node agent does. You can test your controller certificate by running this on the node(s):

$ curl -1 :controller:`/`