replace self-signed cert, verify install?

By: Sam Bauch user 22 Apr 2020 at 7:55 a.m. CDT

4 Responses
Sam Bauch gravatar
I followed the instructions [here](https://github.com/GluuFederation/gluu-docker/tree/3.1.6/examples/single-host) for getting a Gluu server running on an AWS EC2 instance. I'd love to be on a newer version, but this felt like the easiest thing to follow (I tried a bunch of other approaches first to no avail). I am not very experienced with devops though I am a software engineer. I'm building OSS for the other side of SAML, a microservice for authenticating SAML-based SSO users into your application. My goal is to get a Gluu server running so that I can test against Gluu SAML, as well as provide developers using my OSS a sandbox where they can also test SAML SSO (without having to register for Okta etc). It's a bit unclear whether you are able to provide support for Docker per some other threads, but here goes. I don't know how to replace the self-signed certificate that was installed as part of the install script. It seems like my deployment is working properly otherwise, and when I attempt to access via a web browser, I get browser errors for invalid cert. Inspecting the cert, its clearly the one generated for me with the provided config data. I've tried provisioning a cert via AWS Certificate Manager, putting a classic load balancer in front of the Gluu server, and using the new cert on the load balancer. I don't think this really makes sense we're running Dockerized nginx? Similar to [this thread](https://support.gluu.org/maintenance/4703/where-are-httpd-certificates-stored/) - I do not know where to find the `/etc/hosts` directory mentioned in the docs. An answer there has a command `service gluu-server-3.1.1 login` which I've not seen in any other docs, and I don't see anything in containers / images / ps related to `gluu-server-3.1.6` ``` CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3b7cc16bc465 gluufederation/oxpassport:3.1.6_03 "tini -g -- /opt/scr…" 19 hours ago Up 19 hours 8090/tcp oxpassport 53434ee330cb vault:1.0.3 "docker-entrypoint.s…" 19 hours ago Up 19 hours 8200/tcp vault f93a59502758 gluufederation/registrator:dev "registrator -intern…" 19 hours ago Up 19 hours registrator 0d551a4c49e8 gluufederation/opendj:3.1.6_02 "tini -g -- /opt/scr…" 19 hours ago Up 19 hours 1636/tcp, 4444/tcp, 8989/tcp ldap af929dd560ad gluufederation/oxauth:3.1.6_03 "tini -g -- /opt/scr…" 19 hours ago Up 19 hours 8080/tcp oxauth 28977c847cc6 gluufederation/nginx:3.1.6_02 "tini -g -- /opt/scr…" 19 hours ago Up 19 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp nginx 3295dc3bb9f2 gluufederation/oxtrust:3.1.6_05 "tini -g -- /opt/scr…" 19 hours ago Up 19 hours 8080/tcp oxtrust 970e1ff50378 gluufederation/oxshibboleth:3.1.6_03 "tini -g -- /opt/scr…" 19 hours ago Up 19 hours 8080/tcp oxshibboleth 24c04f68aaee consul "docker-entrypoint.s…" 19 hours ago Up 19 hours 8300-8302/tcp, 8500/tcp, 8301-8302/udp, 8600/tcp, 8600/udp consul ``` Which I think suggests my next issue - how can I reliably tell that my installation fully deployed without error? is the above `docker ps` output what I should be seeing? How can I verify that I am running all of the services that should be? Would it make sense to replace the openssl self-signed cert with one from lets encrypt / certbot in the install script itself? Is there a similar "easy" install for newer versions of Gluu server? How should I go about replacing the self-signed cert I now have?
Docker 3.0
closed

Answers

By Michael Schwartz Account Admin 22 Apr 2020 at 8:11 a.m. CDT

Copy
Michael Schwartz gravatar
Are you using the docker compose distribution? This is for testing locally, not production. Updating an SSL web certificate is part of normal web server administration, and is not unique to Gluu. Gluu has a VIP support subscription for our Cloud Native distribution (i.e. Kubernetes). @Aliaksandr.Samuseu may be able to give you some hints. We don't really see this issue a lot with the Test Drive distribution because it's not used for prod.

By Sam Bauch user 22 Apr 2020 at 8:33 a.m. CDT

Copy
Sam Bauch gravatar
I am using the docker compose distribution I believe - I followed instructions [here](https://github.com/GluuFederation/gluu-docker/tree/3.1.6/examples/single-host), which opens with: > This is an example of running Gluu Server Docker Edition on a single VM. Is there a reason I can't use this distribution for production? I'm not like, a real enterprise company, I'd be okay lacking whatever bells and whistles this distribution doesn't include if its not typically used for prod? I really need more of a sandbox. I'm not going to purchase VIP support - again, I'm building OSS myself, no funding, can't really justify or likely afford that expense right now. Is this an appropriate guide to follow for a more production deployment? https://gluu.org/docs/gluu-server/4.1/installation-guide/install-docker/

By Michael Schwartz Account Admin 22 Apr 2020 at 8:44 a.m. CDT

Copy
Michael Schwartz gravatar
We have no customers running this in production. There is no strategy to cluster it. It's ok for your sandbox. Like I said, it's mostly used for testing. The package distributions are the easiest to get support on these forums. Alex may have an idea here. But even if we can't help you, replacing the SSL cert is standard docker / web server stuff. I'm sure there is quite a bit of info on the Internet about it.

By Sam Bauch user 22 Apr 2020 at 10:06 a.m. CDT

Copy
Sam Bauch gravatar
Gotcha. I'll see if Alex has anything to add, but sounds like I should back out of docker and instead use the Ubuntu package distribution. And yeah, am reading up on docker / nginx SSL, seems like not a huge lift, but not super simple. Is there anything I can check to verify that everything else is properly setup? Would hate to solve the SSL issue to find out I made a mistake elsewhere!

Post an answer