Author: Madhan Gopalakrishnan | Published on : 11-02-202
By default, the Pacemaker Web UI (pcsd) uses a self-signed SSL certificate, which may trigger security warnings in web browsers. To enhance security and eliminate warnings, you can apply a trusted SSL certificate. This guide provides a step-by-step approach to securing pcsd with a valid SSL certificate.
1️⃣ Locate Default SSL Certificate Files
The default SSL certificate and key used by pcsd are stored in:
/etc/pcsd/pcsd.crt
/etc/pcsd/pcsd.key
To replace them, you need a valid SSL certificate.
2️⃣ Obtain an SSL Certificate
You can use a CA-signed SSL certificate, a self-signed certificate, or a Let’s Encrypt certificate.
🔹 Option 1: Use a CA-Signed SSL Certificate
If you have a certificate from a trusted Certificate Authority (CA), ensure you have:
fullchain.pem→ Contains the server certificate + intermediate certificates.privkey.pem→ Contains the private key.
🔹 Option 2: Generate a Self-Signed Certificate
If you don’t have a CA-signed certificate, you can create a self-signed one:
sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/pcsd/pcsd.key -out /etc/pcsd/pcsd.crt -days 365 -nodes
🔹 Option 3: Get a Free SSL Certificate from Let’s Encrypt
For a Let’s Encrypt certificate, install Certbot and obtain an SSL certificate:
sudo dnf install -y certbot
sudo certbot certonly --standalone -d your-cluster-node
Certificates will be stored in:
/etc/letsencrypt/live/your-cluster-node/
3️⃣ Replace the Default SSL Certificate
Once you have a valid SSL certificate, replace the existing Pacemaker pcsd certificate with your own:
sudo cp /path/to/your/fullchain.pem /etc/pcsd/pcsd.crt
sudo cp /path/to/your/privkey.pem /etc/pcsd/pcsd.key
Ensure the correct file permissions:
sudo chmod 600 /etc/pcsd/pcsd.*
sudo chown hacluster:haclient /etc/pcsd/pcsd.*
4️⃣ Restart pcsd to Apply Changes
To activate the new certificate, restart the pcsd service:
sudo systemctl restart pcsd
Check the status to ensure it restarted successfully:
sudo systemctl status pcsd
5️⃣ Verify SSL Configuration
🖥️ Test Access via Browser
Open a web browser and navigate to:
https://your-cluster-node:2224
If configured correctly, the browser should no longer show a certificate warning.
🔍 Check SSL Certificate Details via CLI
To verify the installed SSL certificate:
openssl s_client -connect your-cluster-node:2224 -servername your-cluster-node -showcerts
6️⃣ Open Firewall for Secure Access
Ensure that the firewall allows secure access to port 2224:
sudo firewall-cmd --permanent --add-port=2224/tcp
sudo firewall-cmd --reload
7️⃣ Automate SSL Certificate Renewal (For Let’s Encrypt Users)
If using Let’s Encrypt, schedule automatic renewal:
sudo certbot renew --dry-run
To force renewal manually:
sudo certbot renew
sudo systemctl restart pcsd
🔄 Troubleshooting Common Issues
🚨 pcsd Not Restarting?
Check logs for errors:
sudo journalctl -xe | grep pcsd
sudo tail -f /var/log/pcsd/pcsd.log
🚨 SSL Certificate Not Recognized?
- Verify certificate contents:
openssl x509 -in /etc/pcsd/pcsd.crt -text -noout - Ensure correct permissions:
sudo chmod 600 /etc/pcsd/pcsd.* sudo chown hacluster:haclient /etc/pcsd/pcsd.* - Restart
pcsd:sudo systemctl restart pcsd
🎯 Conclusion
Applying an SSL certificate to Pacemaker’s Web UI (pcsd) ensures encrypted communication, preventing security warnings and enhancing cluster security. With proper maintenance and renewal, you can keep your cluster secure and compliant. 🚀
💡 Stay Secure & Keep Your Cluster Running Smoothly! 🔥
