1 Rookie
•
63 Posts
0
278
Data Domain - How do I replace the DD Boost Certificate? (Reposted to Data Domain Community)
I am testing with DDVE 7.12.0.0-1053185 and I am following the procedure given here to replace the DD Boost certificate, but it isn't working for me.
I have managed to replace the management UI certificate without any issue.
The new DD Boost certificate is accepted and shows in the UI, but when I query the certificate details on https port 3009, I still get the default 'Valued Datadomain Customer' certificate returned even after waiting 30 mins (and even after a DDVE appliance reboot).
C:\Source\TestSSLServer>TestSSLServer2.exe 10.1.1.29 3009 Connection: 10.1.1.29:3009 SNI: 10.1.1.29 TLSv1.2: server selection: uses client preferences 3f- (key: RSA) DHE_RSA_WITH_AES_128_GCM_SHA256 3f- (key: RSA) DHE_RSA_WITH_AES_256_GCM_SHA384 3f- (key: RSA) ECDHE_RSA_WITH_AES_128_GCM_SHA256 3f- (key: RSA) ECDHE_RSA_WITH_AES_256_GCM_SHA384 ========================================= +++++ SSLv3/TLS: 1 certificate chain(s) +++ chain: length=2 names match: yes includes root: yes signature hash(es): SHA-256 + certificate order: 0 thumprint: 1FBA6126DC9B36A67E9631433A89768B752099B7 serial: 02 subject: CN=mc-ddve-v-202.momusconsulting.com,O=Valued DataDomain customer,ST=CA,C=US issuer: CN=mc-ddve-v-202.momusconsulting.com,O=Valued Datadomain Customer,L=Santa Clara,ST=CA,C=US valid from: 2023-07-13 14:10:41 UTC valid to: 2024-08-12 14:10:41 UTC key type: RSA key size: 2048 sign hash: SHA-256 server names: mc-ddve-v-202.momusconsulting.com + certificate order: 1 thumprint: C4A8C40237B61D512344FECAE8BE4ED9B65B212D serial: 00 subject: CN=mc-ddve-v-202.momusconsulting.com,O=Valued Datadomain Customer,L=Santa Clara,ST=CA,C=US issuer: CN=mc-ddve-v-202.momusconsulting.com,O=Valued Datadomain Customer,L=Santa Clara,ST=CA,C=US valid from: 2022-08-13 14:10:40 UTC valid to: 2028-08-11 14:10:40 UTC key type: RSA key size: 2048 sign hash: SHA-256 (self-issued) ========================================= Server compression support: no Server sends a random system time. Secure renegotiation support: yes Encrypt-then-MAC support (RFC 7366): no SSLv2 ClientHello format (for SSLv3+): yes Minimum DH size: 2048 DH parameter reuse: no Minimum EC size (no extension): 256 Minimum EC size (with extension): 256 ECDH parameter reuse: no Supported curves (size and name) ('*' = selected by server): * 256 secp256r1 (P-256) ========================================= No warning. |
I am testing this in a lab environment, so I do not have ant support entitlement, so I cannot open a case.
Any thoughts or suggestions will be appreciated.
Cheers
M
mc1903
1 Rookie
1 Rookie
•
63 Posts
0
September 27th, 2023 08:10
Solved.
1) the leaf certificate needs both ‘Server Authentication’ & ‘Client Authentication’ Extended Key Usage set. (I was missing Client Auth initially - this is OK for https, but not ddboost)
2) scp the certificates (leaf & CA's) into /ddr/var/certificates/
3) use the command line adminaccess certificate import to add the certificates (leaf & CA's) as system-management , https and ddboost .
4) if you don't add the leaf & CA certs as system-management then the ddboost port 3009 still responds with the self-signed cert, despite having a valid enterprise signed certificate configured.
If anyone from the DDVE dev team is lurking, please improve the way the Web UI to handles certificates in general and especially kick back an error if a cert is missing a required Extended Key Usage setting. Also, your adminaccess certificate show command does not correctly return a 'Valid Until' date for my RootCA certificate, which expires in December 2050 - it reports it as Feb 2024.
bbeckers1
2 Intern
2 Intern
•
137 Posts
1
September 19th, 2023 19:53
what does it show when you connect to port 2049, which is the port used for ddboost connectivity (instead of DD management port 3009)?
mc1903
1 Rookie
1 Rookie
•
63 Posts
0
September 25th, 2023 12:49
Hi @bbeckers1
Thank you for your suggestion. I've just tested port 2049 and it does not respond with an SSL/TLS handshake.
C:\Source\TestSSLServer>TestSSLServer2.exe 10.1.1.29 2049
System.Exception: Could not initiate a handshake (not SSL/TLS?)
at FullTest.Run() in c:\Users\Administrator\Downloads\TestSSLServer-master\TestSSLServer-master\Src\FullTest.cs:line 426
at TestSSLServer.Process(String[] args) in c:\Users\Administrator\Downloads\TestSSLServer-master\TestSSLServer-master\Src\TestSSLServer.cs:line 286
at TestSSLServer.Main(String[] args) in c:\Users\Administrator\Downloads\TestSSLServer-master\TestSSLServer-master\Src\TestSSLServer.cs:line 52
C:\Source\TestSSLServer>
Do you have a DD/DDVE that responds with a certificate to a SSL/TLS request on port 2049 and/or have you been able to replace this cert on any of your DD/DDVE's with an enterprise CA signed one?
Cheers,
M