Accessing the admin panel via SSL

When configuring the Virtuozzo Hybrid Infrastructure infrastructure and services, you may need to enter sensitive information such as credentials for user and email accounts, S3 services, and so on. The system uses a pregenerated self-signed certificate by default, and you may want to upload one issued by a trusted certificate authority instead.

Limitations

  • You can upload an SSL certificate before creating the high availability (HA) cluster. However, if you later create the HA cluster, the admin panel will move to the chosen virtual IP address. In case you have the certificate issued for the admin panel’s current IP address, you will need to acquire a new SSL certificate issued for the virtual IP address. In case you have the certificate issued for the domain name, ensure this domain name resolves to the virtual IP address.
  • If you acquired an SSL certificate from an intermediate certificate authority (CA), you should have an end-user certificate along with a CA bundle that contains the root and intermediate certificates. To be able to use these certificates, you need to merge them into a chain first. A certificate chain includes the end-user certificate, the certificates of intermediate CAs, and the certificate of a trusted root CA. In this case, an SSL certificate can only be trusted if every certificate in the chain is properly issued and valid.

    For example, if you have an end-user certificate, two intermediate CA certificates, and a root CA certificate, create a new certificate file and add all certificates to it in the following order:

    # End-user certificate issued by the intermediate CA 1
    -----BEGIN CERTIFICATE-----
    MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1X<...>
    -----END CERTIFICATE-----
    # Intermediate CA 1 certificate issued by the intermediate CA 2
    -----BEGIN CERTIFICATE-----
    MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9ON9<...>
    -----END CERTIFICATE-----
    # Intermediate CA 2 certificate issued by the root CA
    -----BEGIN CERTIFICATE-----
    MIIC8jCCAdqgAwIBAgICZngwDQYJKoZIhvcN<...>
    -----END CERTIFICATE-----
    # Root CA certificate
    -----BEGIN CERTIFICATE-----
    MIIDODCCAiCgAwIBAgIGIAYFFnACMA0GCSqG<...>
    -----END CERTIFICATE-----
    

To upload an SSL certificate

Admin panel

  1. On the Settings > Management node > SSL access tab, click Upload.
  2. Upload an SSL certificate issued for admin panel’s current IP address.
  3. Upload the private key. This option shows after uploading a valid certificate.
  4. Click Save.

The uploaded certificate will be added to the configuration of the web server that hosts the admin panel and you will be able to access it over HTTPS.

You can also generate a new self-signed certificate instead of the one used by default. However, it will not be trusted and you will have to manually accept it in your browser.

Command-line interface

Use the following command:

vinfra cluster settings ssl set (--self-signed | --cert-file <cert_file>) [--key-file <key_file>] [--password]
--self-signed
Generate a new self-signed certificate.
--cert-file <cert_file>
Path to a file with the new certificate.
--key-file <key_file>
Path to a file with the private key (used only with the --cert-file option).
--password
Read certificate password from stdin (used only with the --cert-file option).

For example, to upload an SSL certificate from the cert.pem and key.pem files, run:

# vinfra cluster settings ssl set --cert-file cert.pem --key-file key.pem

You can view the uploaded SSL certificate in the vinfra cluster settings ssl show output:

# vinfra cluster settings ssl show
+-------------+-------+
| Field       | Value |
+-------------+-------+
| is_valid    | True  |
| self_signed | False |
| ssl         | True  |
+-------------+-------+