Skip to content

Configuring Custom TLS Certificates

By default, Anyware Manager is deployed using self-signed TLS certificates. We recommend using a custom TLS certificate for using Anyware Manager in production. You should renew and maintain these certificates as required. Anyware Manager supports X509 certificates in PEM format, the certificate file must only include a single certificate, the CA bundle is not supported. The TLS key must not require Password.

To configure Anyware Manager to use custom TLS certificates, or to update Anyware Manager to use a new TLS certificate, follow the steps outlined below:

  1. Create a file called tls-config.json with the following contents:
    {
      "tls-key-file": "<path to a file containing your TLS certificate key>",
      "tls-cert-file": "<path to a file containing your TLS certificate>"
    }
    
  2. Update the TLS configuration by running the following command:
    sudo /usr/local/bin/anyware-manager configure --config-file tls-config.json
    
    This command updates the Anyware Manager services automatically.

Internal TLS Certificates

When you are using internal MongoDB and Vault for data storage, in order to keep Anyware Manager's internal communication secure, the installer also generates a set of self-signed TLS certificates to be used for encrypting internal communication within Anyware Manager. By default these certificates expire 2 years from when they are generated.

In order to ensure that the Anyware Manager uptime is not interrupted unexpectedly it is important to ensure that these certificates do not expire. This can be done by:

  • Upgrading Anyware Manager regularly. These certificates are regenerated by the installer during the upgrade process if they are close to expiring so upgrading at a regular cadence (eg, once or twice a year) ensures everything remains operational.
  • If you do not want to upgrade Anyware Manager and only want to use a version that you have qualified yourself, and that may exceed the TLS certificates expiration time, you can either:
    • Periodically re-deploy the Anyware Manager instance you are running so that new certificates are generated regularly.
    • Run the command to re-generate certificates periodically. See Internal Certificate Generation below for steps on how to do this.
  • Monitor when the certificates are going to expire and plan to regenerate them beforehand. You can do this by either running the Anyware Manager diagnose command or checking the Anyware Manager health probe's logs. Run the following command to generate this health check:
    /usr/local/bin/anyware-manager diagnose --health
    
    This health check assesses the Mongo Database and Vault connections. A warning message is logged if the certificates are close to expiring and an error is logged if they have expired. For example,
    ...
    INFO .. Connections:
    INFO .... MongoDB=Healthy
    WARN ...... Mongo Certificate Valid From=2021-08-17 19:35:42 Mongo Certificate Valid Until=2021-09-18 19:35:42
    INFO .... vault=Healthy
    WARN ...... Vault Certificate Valid From=2021-08-17 19:35:42 Vault Certificate Valid Until=2021-09-18 19:35:42
    ...
    
    In order to check the logs for the Anyware Manager health probe, run
    /usr/local/bin/kubectl get jobs -o jsonpath='{.items[?(@.spec.template.metadata.labels.name=="manager-health-probe")].metadata.name}' --sort-by=.metadata.creationTimestamp | rev | cut -d' ' -f 1 | rev | xargs -I % /usr/local/bin/kubectl logs jobs/%
    
    This command returns the last completed Anyware Manager health probe's logs and states when the certificates are expiring. For example:
    Secret Provider type is Vault
    Vault certificate is valid from Tue Aug 17 19:35:42 2021 until Sat Sep 18 19:35:42 2021
    Vault status - Initialized: True, Sealed: False
    Vault is healthy
    MongoDB certificate is valid from Tue Aug 17 19:35:42 2021 until Sat Sep 18 19:35:42 2021
    MongoDB is healthy
    Manager is healthy
    
    These commands show the expiration date for the Mongo Database and Vault in both the default MongoDB/Vault mode or external MongoDB/Vault mode. For external MongoDB/Vault modes, you need to manually change the certificates yourself on the external instances since Anyware Manager does not have the necessary permissions or functionality to do that for you.

Internal Certificate Generation

In the case where the certificate has expired or is about to expire, and you do not wish to upgrade your Anyware Manager instance, you can generate internal certificates by running the following command:

/usr/local/bin/anyware-manager configure --generate-certs
Once you have run this command, check the output of the diagnostics health command or the Anyware Manager health probe as shown in point 3 above. Please note that this only updates the certificates within Anyware Manager, so if you are using an external MongoDB and/or external Vault with TLS enabled, this command does not affect the external Database or Vault's certificates.