Accessing the admin panel via SSL

When configuring the Virtuozzo Hybrid Infrastructure and services, you may need to enter sensitive information such as credentials for user and email accounts, S3 services, and so on. The system uses a pregenerated self-signed certificate by default, but you may want to upload one issued by a trusted certificate authority instead. You can also generate a new self-signed certificate instead of the one used by default. However, it will not be trusted and you will have to manually accept it in your browser.

Limitations

  • You can upload RSA certificates only. SSL certificates based on other algorithms are not supported.
  • You can upload an SSL certificate before creating the high availability (HA) cluster. However, if you later create the HA cluster, the admin panel will move to the chosen virtual IP address. In case you have the certificate issued for the admin panel’s current IP address, you will need to acquire a new SSL certificate issued for the virtual IP address. In case you have the certificate issued for the domain name, ensure this domain name resolves to the virtual IP address.

Prerequisites

  • You should have an end-user certificate along with a CA bundle that contains the root and intermediate certificates. To be able to use these certificates, you need to merge them into a chain first. A certificate chain includes the end-user certificate, the certificates of intermediate CAs, and the certificate of a trusted root CA. In this case, an SSL certificate can only be trusted if every certificate in the chain is properly issued and valid.

    For example, if you have an end-user certificate, two intermediate CA certificates, and a root CA certificate, create a new certificate file and add all certificates to it in the following order:

    # End-user certificate issued by the intermediate CA 1
-----BEGIN CERTIFICATE-----
MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1X<...>
-----END CERTIFICATE-----
# Intermediate CA 1 certificate issued by the intermediate CA 2
-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9ON9<...>
-----END CERTIFICATE-----
# Intermediate CA 2 certificate issued by the root CA
-----BEGIN CERTIFICATE-----
MIIC8jCCAdqgAwIBAgICZngwDQYJKoZIhvcN<...>
-----END CERTIFICATE-----
# Root CA certificate
-----BEGIN CERTIFICATE-----
MIIDODCCAiCgAwIBAgIGIAYFFnACMA0GCSqG<...>
-----END CERTIFICATE-----

To upload a third-party SSL certificate

Admin panel

  1. Go to Settings > System settings > SSL certificate.

  2. Select Upload a certificate, and then upload the following:

    • An SSL certificate issued for the admin panel’s current IP address or domain name
    • The matching private key or password (this option shows after uploading a valid certificate)

  3. Click Save.
  4. In the Change SSL certificate window, confirm that you want to change the SSL certificate. After you click Change, the admin panel will be automatically restarted.

The uploaded certificate will be added to the configuration of the web server that hosts the admin panel and you will be able to access it over HTTPS.

Command-line interface

Use the following command:

vinfra cluster settings ssl set --cert-file <cert_file> [--key-file <key_file>] [--password]
--cert-file <cert_file>
Path to a file with the new certificate
--key-file <key_file>
Path to a file with the private key
--password
Read certificate password from stdin.

For example, to upload an SSL certificate from the cert.pem and key.pem files, run:

# vinfra cluster settings ssl set --cert-file cert.pem --key-file key.pem

You can view the uploaded SSL certificate in the vinfra cluster settings ssl show output:

# vinfra cluster settings ssl show
+-------------+-------+
| Field       | Value |
+-------------+-------+
| is_valid    | True  |
| self_signed | False |
| ssl         | True  |
+-------------+-------+

To generate a new self-signed SSL certificate

Admin panel

  1. Go to Settings > System settings > SSL certificate.
  2. Select Generate a certificate, and then click Save.
  3. In the Change SSL certificate window, confirm that you want to change the SSL certificate. After you click Change, the admin panel will be automatically restarted.

The uploaded certificate will be added to the configuration of the web server that hosts the admin panel, but you will have to manually accept it in your browser.

Command-line interface

Use the following command:

vinfra cluster settings ssl set --self-signed
--self-signed
Generate a new self-signed certificate.

For example, to generate a new self-signed certificate, run:

# vinfra cluster settings ssl set --self-signed

You can view the SSL certificate in the vinfra cluster settings ssl show output:

# vinfra cluster settings ssl show
+-------------+-------+
| Field       | Value |
+-------------+-------+
| is_valid    | True  |
| self_signed | True  |
| ssl         | True  |
+-------------+-------+
Related Topics Link IconSee also