Configuring Custom TLS Certificates
By default, Anyware Manager is deployed using self-signed TLS certificates. We recommend using a custom TLS certificate for using Anyware Manager in production. You should renew and maintain these certificates as required. Anyware Manager supports X509 certificates in PEM format, the certificate file must only include a single certificate, the CA bundle is not supported. The TLS key must not require Password.
To configure Anyware Manager to use custom TLS certificates, or to update Anyware Manager to use a new TLS certificate, follow the steps outlined below:
- Create a file called tls-config.json with the following contents:
{ "tls-key-file": "<path to a file containing your TLS certificate key>", "tls-cert-file": "<path to a file containing your TLS certificate>" }
- Update the TLS configuration by running the following command:
This command updates the Anyware Manager services automatically.
sudo /usr/local/bin/anyware-manager configure --config-file tls-config.json
Internal TLS Certificates¶
When you are using internal MongoDB and Vault for data storage, in order to keep Anyware Manager's internal communication secure, the installer also generates a set of self-signed TLS certificates to be used for encrypting internal communication within Anyware Manager. By default these certificates expire 2 years from when they are generated.
In order to ensure that the Anyware Manager uptime is not interrupted unexpectedly it is important to ensure that these certificates do not expire. This can be done by:
- Upgrading Anyware Manager regularly. These certificates are regenerated by the installer during the upgrade process if they are close to expiring so upgrading at a regular cadence (eg, once or twice a year) ensures everything remains operational.
- If you do not want to upgrade Anyware Manager and only want to use a version that you have qualified yourself, and that may exceed the TLS certificates expiration time, you can either:
- Periodically re-deploy the Anyware Manager instance you are running so that new certificates are generated regularly.
- Run the command to re-generate certificates periodically. See Internal Certificate Generation below for steps on how to do this.
- Monitor when the certificates are going to expire and plan to regenerate them beforehand. You can do this by either running the Anyware Manager diagnose command or checking the Anyware Manager health probe's logs. Run the following command to generate this health check:
This health check assesses the Mongo Database and Vault connections. A warning message is logged if the certificates are close to expiring and an error is logged if they have expired. For example,
/usr/local/bin/anyware-manager diagnose --health
In order to check the logs for the Anyware Manager health probe, run... INFO .. Connections: INFO .... MongoDB=Healthy WARN ...... Mongo Certificate Valid From=2021-08-17 19:35:42 Mongo Certificate Valid Until=2021-09-18 19:35:42 INFO .... vault=Healthy WARN ...... Vault Certificate Valid From=2021-08-17 19:35:42 Vault Certificate Valid Until=2021-09-18 19:35:42 ...
This command returns the last completed Anyware Manager health probe's logs and states when the certificates are expiring. For example:/usr/local/bin/kubectl get jobs -o jsonpath='{.items[?(@.spec.template.metadata.labels.name=="manager-health-probe")].metadata.name}' --sort-by=.metadata.creationTimestamp | rev | cut -d' ' -f 1 | rev | xargs -I % /usr/local/bin/kubectl logs jobs/%
These commands show the expiration date for the Mongo Database and Vault in both the default MongoDB/Vault mode or external MongoDB/Vault mode. For external MongoDB/Vault modes, you need to manually change the certificates yourself on the external instances since Anyware Manager does not have the necessary permissions or functionality to do that for you.Secret Provider type is Vault Vault certificate is valid from Tue Aug 17 19:35:42 2021 until Sat Sep 18 19:35:42 2021 Vault status - Initialized: True, Sealed: False Vault is healthy MongoDB certificate is valid from Tue Aug 17 19:35:42 2021 until Sat Sep 18 19:35:42 2021 MongoDB is healthy Manager is healthy
Internal Certificate Generation¶
In the case where the certificate has expired or is about to expire, and you do not wish to upgrade your Anyware Manager instance, you can generate internal certificates by running the following command:
/usr/local/bin/anyware-manager configure --generate-certs