Solved: Re: Replacing App Volumes Manager SSL

vishalchand · ‎01-12-2016

AppVolume version Version: 2.10.0.1412

Did anyone successfully replaced the SSL certificate for Appvolume manager? I have followed the KB article Replacing App Volumes Manager SSL Certificate (2095969) for creating CSR cert, restarted the manager service but still defaults to old cert.

Thanks in Advance...

Ray_handels · ‎01-13-2016

Ah yeah, the certificate issue .

I cant open the link you provided (KB of vmware offline again) but I believe they state that you need to create your own certificate files (.crt file and .key fiole right?) and replace the original svserver.crt and .key file right?

Unfortenately that isn't enough. Apparently they now keep on using the appvol_self_vmware.com.crt and .key file. You also need to replace these files with your newly created certificate and your good to go.

Also, restart the server, not only the service, we found out that this works better.

View solution in original post

Ray_handels · ‎01-13-2016

Ah yeah, the certificate issue .

I cant open the link you provided (KB of vmware offline again) but I believe they state that you need to create your own certificate files (.crt file and .key fiole right?) and replace the original svserver.crt and .key file right?

Unfortenately that isn't enough. Apparently they now keep on using the appvol_self_vmware.com.crt and .key file. You also need to replace these files with your newly created certificate and your good to go.

Also, restart the server, not only the service, we found out that this works better.

vishalchand · ‎01-13-2016

that works.... thanks for speedy response. The original svserver.crt and .key were found at two location as per below including replacing appvol_self_vmware.com.crt and .key file to make it work. C:\Program Files (x86)\CloudVolumes\Manager\nginx_proxy\conf C\Program Files (x86)\CloudVolumes\Manager\nginx\conf

solgaeDK · ‎01-15-2016

The real problem is, VMware App Volumes team seem to have forgotten to update their nginx.conf file to point to the certificate files that VMware KB says to replace. I logged a feedback about it on their KB article when I noticed it at version 2.6, but no change yet as of 2.10.

The nginx.conf for App Volumes Manager server points to the appvol_self_vmware.com.crt and appvol_self_vmware.com.key to read in the SSL certificate, which means replacing svserver.crt and svserver.key files is meaningless.

To tell the App Volumes service to use the appropriate certificate files, you need to edit the nginx.conf file in C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf directory (assuming default install location). Browse down until you find the entry like this:

server {

server_name 0.0.0.0;

listen 443;

ssl on;

ssl_certificate appvol_self_vmware.com.crt;

ssl_certificate_key appvol_self_vmware.com.key;

ssl_session_timeout 5m;

root ../public;

rewrite ^/(.*)/$ /$1 permanent;

Change the ssl_certificate and ssl_certificate_key to svserver.crt and svserver.key respectively so it looks like this:

server {

server_name 0.0.0.0;

listen 443;

ssl on;

ssl_certificate svserver.crt;

ssl_certificate_key svserver.key;

ssl_session_timeout 5m;

root ../public;

rewrite ^/(.*)/$ /$1 permanent;

Restart App Volumes service thru Services MMC and App Volumes server will now use the appropriate certificate files.

Of course, replacing appvol_self_vmware.com.crt and appvol_self_vmware.com.key files with your own cert works too, but I don't like the naming scheme of the files.

Once you replaced the cert and restarted the service, remember to update the agent config on the registry to use SSL according to VMware KB: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=209158...

BTW, upgrading App Volumes version means uninstalling the existing version, which will blow away the certificate files. Make sure to back up those files before uninstalling, or you'll have to re-generate the cert and the associated private key once you install the new version.

AlBalushi · ‎03-23-2016

Hi all

i was following the steps but it seems that not working , any workaround for this issue with replacing App Volume manager SSL

Regards

SB.Mohammed

Ray_handels · ‎03-24-2016

Have you restarted the server after changing the certificates? And what kind of certificate do you see when connecting to the Manager website? Do you still see the Appvolumes self signed certificate or do you see your own certificate?

Keep in mind to change both certificates.

AlBalushi · ‎03-24-2016

Hi,

Yes replaced both certificates and services are restarted as well. When the URL is entered in the browser it does not simply respond and when we see the errors in the log files we can see following.

2016/03/23 12:30:27 [emerg] 4496#5244: PEM_read_bio_X509_AUX("C:\Program Files (x86)\CloudVolumes\Manager\nginx/conf/appvol_self_vmware.com.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

2016/03/23 12:30:59 [emerg] 2584#3172: PEM_read_bio_X509_AUX("C:\Program Files (x86)\CloudVolumes\Manager\nginx/conf/appvol_self_vmware.com.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

2016/03/23 12:31:32 [emerg] 5924#4828: PEM_read_bio_X509_AUX("C:\Program Files (x86)\CloudVolumes\Manager\nginx/conf/appvol_self_vmware.com.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

Ray_handels · ‎03-24-2016

Did you create self signed certificates?? It seems as if these certificates aren't trusted..

AlBalushi · ‎03-24-2016

Hi all

we had sorted this issue with certificate very long a way i will document the same for future references ,will share the here

Regards

SB.Mohammed

All

Replacing App Volumes Manager SSL