How to enable HTTPS

WAS THIS PAGE HELPFUL? Leave Feedback

CONTENTS

Overview

GroundWork Monitor supports the use of HTTPS using TLS for encrypting web browser connections to Apache, although this feature is not enabled by default. The binaries and libraries necessary to enable HTTPS support are included in the GroundWork Monitor distribution. Also see sections for GDMA Notes.

Scripted HTTPS Support in GroundWork Monitor

To setup HTTPS in GroundWork you will need to run the setup-https.py script found in /usr/local/groundwork/tools/system_setup/.

You will need to be root or run via sudo given the nature of some of the tasks performed.
IMPORTANT: before you run the setup script make sure you have a single entry in the /etc/hosts file with the server's actual IP address and the servername you will use to access the system via https. Make sure you don't have more than one line with the server's actual IP address, as the script will use the 1st entry it finds. This single entry is required even if you explicitly declare the servername in the command.
Basic operation

The script will set the system up with a certificate corresponding to the current FQDN of the system. Because daemons are restarted during this process it can take some minutes to complete. If you are planning on doing self signed certificates on a standalone GroundWork system then you can run this script without any flags:

# cd /usr/local/groundwork/tools/system_setup/
# ./setup-https.py
GroundWork Monitor Enterprise is now configured for https.
Examples
Backup file

A backup of the configuration files modified by the setup-https.py script created at /usr/local/groundwork/backup/DATESTAMP-pre-https-config-backup.tgz. For example:

$ ls -l /usr/local/groundwork/backup/
total 32
-rw-r--r-- 1 root root 29695 Oct 16 11:44 2017-10-16-1144-pre-https-config-backup.tgz
Log file

A log of the operation run by the script can be found in the same directory at /usr/local/groundwork/tools/system_setup/log/setup-https.log. Refer to this log file if something didn't work as expected. If you need to open a support ticket, attach this file to the ticket.

Reverting to previous configuration

In the event you need to roll back the changes done by this script you can run the grafbridge-control script, restore the backup file, and then restart GroundWork again:

  1. Run the grafbridge-control script to disable https in the respective config locations:
    /usr/local/groundwork/grafana/scripts/grafbridge-control -ssl disable
    
    Because some APIs are communicated within this step, it is required GroundWork be up and available at the URL configured the previous time it was run (e.g., by the setup-https.py script). You MUST have restarted GroundWork prior to running this step again or it will fail. If a restart of GroundWork has occurred but this step produces errors you will need to run the following command to correct it:
    /usr/local/groundwork/tools/system_setup/scripts/update-graf-ds.py --protocol http
    
  2. Restore the backup file found at /usr/local/groundwork/backup/DATESTAMP-pre-https-config-backup.tgz.
    tar xvf /usr/local/groundwork/backup/2017-10-16-1144-pre-https-config-backup.tgz -C /
  3. Restart GroundWork daemons:
    /etc/init.d/groundwork restart
    
Usage
$ ./setup-https.py --help
usage: setup-https.py [-h] [--create_certs] [--redirect] [--noredirect]
                      [--certfile CERTFILE] [--certkey CERTKEY]
                      [--certca CERTCA] [--servername SERVERNAME]
                      [--josso_servername JOSSO_SERVERNAME]
                      [--java_keystore_pass JAVA_KEYSTORE_PASS]
                      [--extra_vars_file EXTRA_VARS_FILE] [--save] [--print]
                      [--purge_extra_vars] [--info] [--debug]

Tool to drive automated setup of https for GroundWork Monitor Enterprise.
Settings taken from extra-vars.yml if present. Flags take precedence.

optional arguments:
  -h, --help            show this help message and exit
  --create_certs        generate self signed certificates, (default)
  --redirect            listen on port 80 to redirect to port 443. If neither
                        --redirect nor --noredirect is specified. --redirect
                        is assumed.
  --noredirect          do not listen on port 80 to redirect to port 443
  --certfile CERTFILE   path to user supplied certificate
  --certkey CERTKEY     path to user supplied key
  --certca CERTCA       path to user supplied ca certificate
  --servername SERVERNAME
                        servername if different than discovered FQDN
  --josso_servername JOSSO_SERVERNAME
                        servername for josso auth if different than
                        localhost:8888
  --java_keystore_pass JAVA_KEYSTORE_PASS
                        keystore password if different than default, (default:
                        changeit)
  --extra_vars_file EXTRA_VARS_FILE
                        path to extra-vars.yml file if different than default
  --save                Only update the extra-vars.yml file and exit
  --print               print the content of the extra-vars.yml file and exit
  --purge_extra_vars    delete extra-vars.yml file and exit
  --info                set log level to INFO
  --debug               set log level to DEBUG
Regenerating certificates or generating new certificates for child servers

Because of recent changes to browsers, such as FireFox and Chrome, certificates are now required to have subject alternative name (SAN) fields. Self signed certificates created with instructions from previous versions of GroundWork will work with 7.2 but will not validate in these browsers because they lack these fields. The OpenSSL cli tool does not prompt for this field to be added so we have wrapped it in a shell tool.

Notes
GDMA Notes