Trusting the Controller's Self Signed Cert on the Nodes¶
This section only applies to SwiftStack Controller On-Premises installations and is not relevant for SwiftStack customers using SwiftStack Controller As-a-Service.
To replace the automatically generated self signed certificate with one purchased from an authorized Certificate Authority, please see Generating and Applying SSL Certificates
SwiftStack does not endorse using a self signed certificate on production controllers, but in the event that your organization has decided that this is an acceptable risk, here are the instructions for configuring your nodes to successfully validate the controller's self signed cert.
Ubuntu¶
From the controller's shell, transfer the ssman.crt file to the Node(s):
$ scp /opt/ss/etc/ssman.crt root@node1.example.com:/usr/local/share/ca-certificates/
On the Node, log in as root and add the certificate by updating the Node's CA certificates:
$ update-ca-certificates
Note
if you've done all the above and the node still doesn't trust the controller's cert,
run sudo c_rehash
on the node and run sudo restart ssnoded
.
RHEL / CentOS Linux¶
From the controller's shell, transfer the ssman.crt file to the Node(s):
$ scp /opt/ss/etc/ssman.crt root@node1.example.com:/etc/pki/ca-trust/source/anchors
On the Node, log in as root and add the certificate by updating the Node's CA certificates:
$ update-ca-trust extract
Note
if you've done all the above and the node still doesn't trust the controller's cert,
run sudo systemctl restart ssnoded
.
Test It¶
The curl
utility uses the same strong SSL certificate validation that the
SwiftStaqck node agent does. You can test your controller certificate by
running this on the node(s):
$ curl -1 :controller:`/`