Hi
So ive recently deployed a 8 node vRops enviromnemt, and finally got around to requesting internal CA signed SSL Certs, got them created, converted them to PEM format, uploaded the 1st cert, looked ok, then did the 2nd, node, checked it and it looked ok, I then checked the 1st node, that reported an error and said it had the same SSL cert as the 2nd node.
Now I need to check as the documentation doesnt seem to say this and dont see anything on the web that is clear either.
For a vROps enviromnemt is the SSL Certificate the same SSL certifiate for each and every node?
If so do I need to create a single SSL cert and put a subjectAltName for each node intot he cert request.
i.e. do i need to put a section like this into my openssl.cnf
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = vropsnode1.internal.domain
DNS.2 = vropsnode2.internal.domain
DNS.3 = vropsnode3.internal.domain
DNS.4 = vropsnode4.internal.domain
DNS.5 = vropsnode5.internal.domain
DNS.6 = vropsnode6.internal.domain
DNS.7 = vropsnode7.internal.domain
DNS.8 = vropsnode8.internal.domain
IP.1 = 192.168.1.1
IP.2 = 192.168.1.2
IP.3 = 192.168.1.3
IP.4 = 192.168.1.4
IP.5 = 192.168.1.5
IP.6 = 192.168.1.6
IP.7 = 192.168.1.7
IP.8 = 192.168.1.8
cheers
John
Documentation really is poor in this area. but got this from VMware "A single certificate will be used by the web server on all nodes, so for this to work the certificate must be valid for all nodes. One way to make this happen is with multiple Subject Alternative Name (SAN) entries." So looks like im on the right track.
Which is sort of weird, but works as that says, when you look at the self signed ssl certs they have different names vc-ops-slice-1, vc-ops-slice-2 etc but then you upload a SSL cert the same cert is on all nodes.
Update: Ive had a SSL cert generated with the subjectAltName's as in the example above with fqdn and IPs for each node in the cluster and created the appropriate PEM file from this, and imported, this works and the certificate is valid on all nodes, so thats the solution.
Also of impact is the issue that vRops registeres itself to vCenter with the IP and not FQDN, the SSL cert needs the IP, but in my case it also causes connectivity issues from browsers due to our proxy settings, so this needs to be considered if its needed...
John
Documentation really is poor in this area. but got this from VMware "A single certificate will be used by the web server on all nodes, so for this to work the certificate must be valid for all nodes. One way to make this happen is with multiple Subject Alternative Name (SAN) entries." So looks like im on the right track.
Which is sort of weird, but works as that says, when you look at the self signed ssl certs they have different names vc-ops-slice-1, vc-ops-slice-2 etc but then you upload a SSL cert the same cert is on all nodes.
Update: Ive had a SSL cert generated with the subjectAltName's as in the example above with fqdn and IPs for each node in the cluster and created the appropriate PEM file from this, and imported, this works and the certificate is valid on all nodes, so thats the solution.
Also of impact is the issue that vRops registeres itself to vCenter with the IP and not FQDN, the SSL cert needs the IP, but in my case it also causes connectivity issues from browsers due to our proxy settings, so this needs to be considered if its needed...
John
I don't think the alternative names are necessary since the only one producing the Web-UI is the master node. As long as that has the correct cert, you should be set.
Thanks
After testing yes we did need to put in the Subject alternative names, as we are connecting to each node via the node name... the master node does replicate a single cert to each node, but I needed to use a Subnet Alternative Name in the Cert... doesn't seem to need IP addresses though. although there are some issues with vROps using the IP even though its supposed to use the FQDN in places.
John
You need the subject alt names for each node to prevent cert errors when you access the Admin UI (/admin) portals in each node. When you load the cert on the master node, it'll replicate to all other nodes within the Analytic cluster. Do not use IPs or shortname in the subject alt names for the nodes, just use the FQDNs since that's how you'll be likely referring to each node.