Follow

How to configure SSL for Control Center and Zenoss 5.x to prevent browser untrusted connection error

Notice

An updated version of the below instructions has been integrated with the main Resource Manager documentation, here.  Please update your bookmarks accordingly.

This kb is being left in place for reference but should be considered out-of-date.

Applies To

  • Zenoss 5.x
  • Control Center 1.x

Summary

Depending on browser security settings, users connecting to a Control Center or Resource Manager instance may encounter warning messages stating the site's identity cannot be verified. These errors are generated by some browsers when a web server presents a self-signed certificate to the browser establishing an SSL connection. This KB describes how to configure Control Center 1.0.6 and Zenoss 5.x to use a digitally signed certificate after such a certificate is procured by the Zenoss administrator. 

Procedure

Perform the following to enable/configure the Zenoss host for SSL:

  1. Procure a new certificate for the Control Center hostname.

    Note: The complete certificate bundle is required that includes CAs necessary to validate the certificate. 

  2. Copy the new certificate to the Control Center host.
  3. Edit the serviced file, for example:

    $ vi /etc/default/serviced

  4. Search for and change the following lines in the file to add your path information.
    Note: If the lines do not exist, append them to the bottom of the file.
    SERVICED_KEY_FILE=/path/to/keyfile
    SERVICED_CERT_FILE=/path/to/certfile
    
  5. Save the file and exit the editor
  6. Reload serviced. For example:

    sudo systemctl reload serviced

NOTES: 

  • If a valid certificate is needed for each individual endpoint, for example. zenoss5.[host], etc., a wildcard certificate is required. If wildcard certificates are not permissible in your environment, upgrading to Control Center 1.1.1 enables use of port-based virtual hosts instead of unique endpoint host names.

  • Zenoss supports SAN (Subject Alternative Name) certificates in addition to wildcard certificates.

  • If your end users access the user interface via a reverse proxy, the reverse proxy may provide the browser with its own SSL certificate. In that case, contact Zenoss Support for additional assistance.
Was this article helpful?
0 out of 0 found this helpful

Comments

Powered by Zendesk