This post appeared originally in our sysadvent series and has been moved here following the discontinuation of the sysadvent microsite

When installing OpenShift, the default certificates that are being installed are self-certified. Although this gives you functional encryption, this is in no way best practice and is especially annoying for the route being exposed for the Hawkular metrics, which is integrated within the Web console.

Luckily there is a relatively easy (and did I mention it is free?) solution: use Let’s Encrypt as your certificate authority.

Installing Let’s Encrypt

Let’s Encrypt is an automated and open certificate authority (CA), run for the public’s benefit. The goal is to create a more secure and privacy-respecting web. Let’s Encrypt achieves automation by using software that uses the ACME protocol, which typically runs on your web host.

In this example we will use the Certbot ACME client. We have it installed from EPEL on our loadbalancer, which is running HAProxy, with:

yum -y install certbot

NOTE On RHEL you need to install python-pyOpenSSL from the OpenStack Cloud SIG to upgrade to a version of pyOpenSSL which is supported by Certbot.


Configure HAProxy for Let’s Encrypt

Adjust the configuration of HAProxy on the frontend loadbalancer by adding the following:

frontend atomic-openshift-http
  bind *:80
  acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
  use_backend letsencrypt if letsencrypt-request
  default_backend atomic-openshift-http

backend letsencrypt
  server letsencrypt 127.0.0.1:8080

And reload the updated configuration:

systemctl reload haproxy.service

This enables Certbot to answer the HTTP-01 challenges from Let’s Encrypt, thereby confirming our identity.

Requesting a certificate

We can now request a certificate from Let’s Encrypt by using:

certbot certonly --standalone --preferred-challenges http --http-01-port 8080 --http-01-address 127.0.0.1 -m admin@example.com -d ocp.example.com

If everything is configured correctly, you end up with a private key and the certificates under /etc/letsencrypt/live/ocp.example.com/:

/etc/letsencrypt/live/ocp.example.com/cert.pem
/etc/letsencrypt/live/ocp.example.com/privkey.pem
/etc/letsencrypt/live/ocp.example.com/chain.pem
/etc/letsencrypt/live/ocp.example.com/fullchain.pem

Certificate used by OpenShift API

We can now proceed to install and use the certificate from Let’s Encrypt for the OpenShift API. This is done by adding the following to your Ansible inventory file for OpenShift:

openshift_master_named_certificates=[{"certfile":"/etc/letsencrypt/live/ocp.example.com/fullchain.pem","keyfile":"/etc/letsencrypt/live/ocp.example.com/privkey.pem"}]
openshift_master_overwrite_named_certificates=true

and (re-)running the Ansible playbook to configure OpenShift, thereby installing the named certificate on your masters:

ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/config.yml

After this, you should no longer receive any warnings about an unknown certificate authority within your web-browser or from the oc command line interface.

Fixing the certificate for Hawkular metrics

Request the certificate for Hawkular metrics with:

certbot certonly --standalone --preferred-challenges http --http-01-port 8080 -m admin@example.com -d hawkular-metrics.cloudapps.example.com

Installation of the private key and the certificate chain from Let’s Encrypt into the hawkular-metrics deployment is done by using the following script:

#!/bin/bash -e

LINEAGE=${1:-/etc/letsencrypt/live/cloudapps.example.com}
PROJECT=${2:-openshift-infra}
ROUTE=${3:-hawkular-metrics}

update_tls() {
  type=${1}
  case ${type} in
    key)
      pem="${2}/privkey.pem"
    ;;
    certificate)
      pem="${2}/cert.pem"
    ;;
    caCertificate)
      pem="${2}/chain.pem"
    ;;
  esac
  oc="oc -n ${3}"
  res="routes/${4}"
  if ! diff -q ${pem} <(${oc} get ${res} --template '{{.spec.tls.'${type}'}}')
  then
    echo "Updating key from ${pem}..."
    ${oc} patch ${res} --patch "{\"spec\":{\"tls\":{\"${type}\":\"$(awk '{printf "%s\\n",$0}' ${pem})\"}}}"
  fi
}

update_tls key ${LINEAGE} ${PROJECT} ${ROUTE}
update_tls certificate ${LINEAGE} ${PROJECT} ${ROUTE}
update_tls caCertificate ${LINEAGE} ${PROJECT} ${ROUTE}

exit 0

Save this script as /usr/local/sbin/update-letsencrypt-certificate and make it executable:

chmod +x /usr/local/sbin/update-letsencrypt-certificate

Keeping the certificates fresh

Since Let’s Encrypt only offers certificates with a limited lifetime of ninety days, it is very important to automate the renewal of the certificates to prevent the use of expired (and therefore invalid) certificates.

To make sure renewals of certificates are requested from Let’s Encrypt, a systemd timer-unit is available. To enable this feature use:

systemctl enable --now certbot-renew.timer

Also make sure you add the endpoints using those certificates to your monitoring system to get notified in case there is a problem with the automated update procedure.

Updating the OpenShift certificates

Once certificates are renewed from Let’s Encrypt, Certbot has a deployment hook available to update a certificate within the components that use them. To utilize this hook for the certificates used in this example, install the following script as /etc/letsencrypt/renewal-hooks/deploy/openshift:

#!/bin/bash -e

for domain in ${RENEWED_DOMAINS}
do
  case ${domain} in
    ocp.example.com)
      ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-master-certificates.yml
    ;;
    hawkular-metrics.cloudapps.example.com)
      /usr/local/sbin/update-letsencrypt-certificate ${RENEWED_LINEAGE}
    ;;
  esac
done

exit 0

Remember to set the eXecutable bit on this script:

chmod +x /etc/letsencrypt/renewal-hooks/deploy/openshift

The wilcard certificate

As of this writing, support for wildcard certificates is not provided by Let’s Encrypt. This means that support for routes established using the DNS wildcard entry for OpenShift is currently not possible by following this procedure.

However, Let’s Encrypt has announced that they will include support for wildcard certificates from January 2018!

Finally

The above is just one way to fix the challenges of having proper certificates installed on your main OpenShift infrastructure, and is easily extended to include multiple components of an OpenShift installation. This is left as an exercise for the reader.

Pip Oomen

OpenShift Solution Manager at Redpill Linpro

Pip – aka. Pepijn for his Dutch countrymen – started in Redpill Linpro in 2012. He is a Red Hat Certified Instructor, Examiner and OpenShift Specialist and – as developer turned system-administrator – always looking for ways to 'Automate all the Things'."

The irony of insecure security software

It can probably be understood from my previous blog post that if it was up to me, I’d avoid products like CrowdStrike - but every now and then I still have to install something like that. It’s not the idea of “security software” per se that I’m against, it’s the actual implementation of many of those products. This post lists up some properties that should be fulfilled for me to happy to install such a product.

Free and ... [continue reading]

Thoughts on the CrowdStrike Outage

Published on July 23, 2024

Alarms made right

Published on June 27, 2024