Pivotal Knowledge Base

Follow

How To Regenerate the Bosh Director SSL Certificate

Environment

 Product  Version
 Pivotal Cloud Foundry® (PCF)

 All Versions  

Purpose

You may need to Regenerate the Bosh Director SSL Certificate for a variety of reasons. These reasons may include, but aren't limited to:

  • Your private key has been compromised, so you need to regenerate a new one to preserve security.
  • Your private key has expired, so you need to create a new one.
  • Your SSL Certificate content has changed, such as, you now have a new DNS or reserved IP address and this change needs to be reflected in the soon-to-be-generated SSL Certificate.
  • You need to rotate your SSL Certificate or Private key periodically to preserve security.

In order to regenerate the Bosh Director SSL Certificate that is installed with Bosh, follow the Instructions below to help guide you in doing so.

Instructions

From a terminal window that is ssh'd into the Ops Manager VM, perform the following:

  1. Run uaac target https://<opsmanagerurl>/uaa to specify your UAA CLI target (Your Ops Man UAA).
  2. Run uaac token owner get to authenticate and get your token so it can be used by UAAC.
  3. Enter the following when prompted:
  • Client ID: opsman
  • Client secret: <Leave Blank>
  • User name: <Username to log into OpsManager>
  • Password: <Password to log into OpsManager>

Alternatively, if Ops Manager has been configured with SAML, perform the following:

  1. Run uaac target https://<opsmanagerurl>/uaa to specify your UAA CLI target (Your Ops Man UAA).
  2. Run uaac token sso get to authenticate and get your token from your SSO service so it can be used by the UAAC.
  3. Enter the following when prompted:
  • Client ID: opsman
  • Client secret: <Leave Blank>
  • Passcode: <https://<opsmanagerurl>/uaa/passcode>
  • Open the link above with your Ops Manager URL inserted and then, paste the passcode into the terminal.

If successful, you will get a message stating: Successfully fetched token via owner password grant

After getting the success message, perform the following:

  1. Run uaac context to display the users and the applications authorized by the UAA server, and the permissions granted to each user and application.
  2. Copy the access token listed under the access_token for client_id: opsman
  3. Run  curl "https://opsmanagerurl/api/installation_settings" -X GET -H "Authorization: Bearer <ACCESS_TOKEN>"
  4. Copy the content from the GET request into a file and open it for editing. This is easily done by adding > settings.txt at the end of the curl command.
  5. In the file you just created, find the key director_ssl and delete the whole thing. That section will contain something similar to this:
    "director_ssl": { 
          "private_key_pem": "-----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----\n", 
    
    "cert_pem": "-----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----\n" },
    
  6. After deleting from "director_ssl": to \n-----END CERTIFICATE-----\n" }, Save the file.
  7. Run curl "https://opsmanagerurl/api/installation_settings" -X POST -H "Authorization: Bearer <ACCESS_TOKEN>" -F installation[file]=@path/to/file
  8. Be sure to include the so that the curl command picks up the file without the director_ssl
  9. If successful, the API will return {}
  10. Navigate into OpsManager UI and confirm that there are “Pending Changes” on the Bosh Director.
  11. Click “Apply Changes”
  12. Your certificate will now be regenerated. 

Additional Information

  • When running uaac target, you may need to use the --skip-ssl-validation flag.
  • When running the curl "https://opsmanagerurl/api/installation_settings" -X GET -H "Authorization: Bearer <ACCESS_TOKEN>", you may need to use the -k flag.

Comments

  • Avatar
    Muni Chada

    similar steps to be followed from step 5 - 7 for uaa_ssl in addition to director_ssl

Powered by Zendesk