Pre-requisite:
Issue: While Importing Certificate and Keyfile, vnms-import-key.sh script fails with Error “Failed to created the pkcs12 file“.
------------------------------------------------------------------------------------------------------------------------------------------
Error:
versa@VD1:/opt/versa/vnms/scripts$ ./vnms-import-key-cert.sh --key /var/versa/vnms/data/certs/versa.key --cert /home/Administrator/versa-2019-09-27-074120.cer.pem --storepass versa123 --keypass versa123 --cafile /home/Administrator/getacert.cer
=> Taking backup of existing certificates and keystores in /var/versa/vnms/data/certs/backup
Failed to created the pkcs12 file
---------------------------------------------------------------------------------------------------------------------------------------
To debug this Error please check install.log under “/var/log/vnms”.
Case 1: If you are receiving error “unable to load private key“ in install.log then Issue can be due to invalid permission of Keyfile or Wrong Keypass.
--------------------------------------------------------------------------------------------------------------------------
Install.log:
Error opening private key /var/versa/vnms/data/certs/versa.key
140023988741792:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/var/versa/vnms/data/certs/versa.key','r')
140023988741792:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load private key
--------------------------------------------------------------------------------------------------------------------------------------
- Keyfile permission:
If you see the above error. Then, we need to check the permission of the key file. It should be “640” which will not have any execute permission.
-rw-r----- 1 versa versa 1743 Mar 31 11:29 *.versa.com.key ------------> 640
Solution: Change Key permission and try again
#sudo chmod 640 <path to keyfile>
#sudo chown versa:versa <path to keyfile>
- Invalid Keypass:
This could be due to “keypass” value mismatch with private key.
Validate Keypass of your private key using following Command:
# openssl pkey -in <privatekey.key> -pubout -outform pem | sha256sumThis command will ask password and you should give “keypass” value. Make sure you should see checksum value without any error after giving the password.
Solution: Use correct “Keypass” value.
Case 2: If you are receiving error “No certificate matches private key “ in install.log then then Issue can be due mismatch between Certificate file and Key file.
--------------------------------------------------------------------------------------------------------------------------
Install.log:
Wed Apr 1 15:47:19 UTC 2020 INFO: Taking backup of existing certificates and keystores in /var/versa/vnms/data/certs/backup
Wed Apr 1 15:47:19 UTC 2020 DEBUG: private key is encrypted with password versa123
No certificate matches private key
Wed Apr 1 15:47:19 UTC 2020 ERROR: Failed to created the pkcs12 file
----------------------------------------------------------------------------------------------------------------------------------
Steps to Validate Certificate & Keyfile:
Then check the Private key checksum value with CA signed certificate value using below command to make sure you are using corresponding key and Certificate. MD5 value should be same.
#openssl x509 -noout -modulus -in <certificate file> | openssl md5
#openssl rsa -noout -modulus -in <keyfile> | openssl md5
Solution: Use Correct Certificate & Keypair
Case 3: If you are receiving error “Error unable to get issuer certificate getting chain “ in install.log then Issue can be wrong CA file.
------------------------------------------------------------------------------------------------------------------------------------
Install.log:
Wed Apr 1 15:46:35 UTC 2020 INFO: Taking backup of existing certificates and keystores in /var/versa/vnms/data/certs/backup
Wed Apr 1 15:46:35 UTC 2020 DEBUG: private key is encrypted with password versa123
Error unable to get issuer certificate getting chain.
Wed Apr 1 15:46:35 UTC 2020 ERROR: Failed to created the pkcs12 file
-----------------------------------------------------------------------------------------------------------------------------------
Steps to Validate CA File:
# openssl verify -verbose -CAfile <CA-certificate> <CA-signed-certificate>
Solution: Steps to get correct root and intermediate CA
First, check how many CA File you need and put all CA cert in single file (intermediate and Root CA).
You can find out the number of CA cert from the signed cert itself. Please find the below screen shot for the same.
Open Signed Certificate with double click in any Windows PC .
Windows PC will support only .crt file so if you have certificate with .pem extension then simply change it to .crt and open .
CA signed Cert:
From above screen shot, you can see two CA certificate which is intermediate and Root CA. You can export those certificates from CA Singed cert.
Then you need to follow the same steps for Root CA and move the both the file to versa director “/tmp” and use the below command to bring both intermediate and root CA in single file.
cat <intermediate-certificate.crt > <root-certificate.crt> > <CA-certificate>After Importing Certificate make sure you Sync certificate with Analytics Clusters:
You need to sync the versa director cert with analytics cluster using below command.
# Admin@VersaDirector:/opt/versa/vnms/scripts#./vnms-cert-sync.sh --sync
Then you need to verify MD5 value using below command.
# Admin@VersaDirector:/opt/versa/vnms/scripts#./vnms-cert-sync.sh --verifyNote: All analytics cluster should use same password for “versa” user. When you execute the above commands. It will ask the password twice for “versa” user. First password should be Director password and second should be your analytics password for versa user.
2022-10-27 update:
Starting 21.1.1 version of code, we also need to synchronize SSL certificate used by Analytics Web Server to Director, because HTTP connection was deprecated and only SSL is now available:
VersaDirector:/opt/versa/vnms/scripts/vd-van-cert-upgrade.sh --pull