This is a how-to for Manually renew the NovaStor DC Command Server SSL certificate, which is installed on the Command Server 8.0.x for Linux, utilized by both the Web UI (DC Web Console) and the Java GUI (DC Management Console), and to communicate to the client nodes. Note: In version 8.0.x the SSL certificate validity is 90 days in length, then in version 8.1.x the validity was increased from 90 days to 1 year, and in version 8.2.13 and newer, the validity was increased to 5 years (read the specific notes about the later change to the certificate validity in the KB article here).
The SSL certificate that is stored on the Command Server machine is generated with a validity length of 90 days. If you were to install the Command Server on June 1, 2020, then it will be valid until September 1, 2020, and beyond that date that it will be in the expired state, and will require renewal. If the certificate validity is expired it will just require you to ignore the extra initial cert invalid warning when accessing the WebGUI via web browser. The SSL certificate renewal process is currently a manual process that you will need to perform from your Command Server machine directly.
Steps for Linux based Command Server 8.x:
- Start an SSH session or a shell session in Linux as a user that has sudo access (check by using command: 'sudo -i' after logging in, if it says you do not have sudo rights then choose a different user to login as and try this again), or login as root.
- Type: cd /opt/NovaStor/DataCenter/etc/central_scripts
- Note: If you utilized a different installation folder for Command Server for Linux then you will need to specify that path to cd to. If you are unable to cd to the '/etc/central_scripts' sub-folder then it means that your user does not have access to the folder, perhaps due to folder permissions. You will either need to perform a 'sudo -i' command to have su access, or login as root as described in Step 1.
- Type: sudo ./renew_cert.sh
- Note: If you get an error to do with the user does not have sudo rights, then login with a user that does have sudo access, or as root and re-try all of the steps.
- Make sure that the last output of the command is displayed as: "Certificate was added to keystore".
- Now clear all of the web browser's cache/cookies that access the Command Server's WebGUI website. Attempt to access the WebGUI URL from those web browsers once more to verify the SSL certificate's validity dates. It should have provided you with 90 more days of validity from today's date. NOTE: In version 8.0.x the SSL certificate validity is 90 days in length, then in version 8.1.x the validity was increased from 90 days to 1 year, and in version 8.2.13 and newer, the validity was increased to 5 years (read the specific notes about the later change to the certificate validity in the KB article here).
NOTE: If the Java GUI (DC Management Console) application is also installed on any additional separate systems other than the Command Server system, or any system that is not the Command Server system, and you are having trouble logging in to the Java GUI (DC Management Console), then it is likely that either the version of the GUI does not match the Command Server version and now needs to be upgraded to match the Command Server, or the SSL certificate on the Command Server has expired, or the computer's clock is not set correctly and inaccurate that you are attempting to utilize the app from. If you see any of these warnings or errors it means the SSL cert is likely to have expired and will need to be manually renewed using this guide:
After loading the Java GUI (DC Management Console) and just after attempting to click on the "Login" button a red error box is displayed, with no error text inside it, like in this example, then proceed to the next screenshot:
If the red error box with no text in it is displayed, just click the "Login" button again to see the full error, which may mention "The server's SSL certificate may not be available in the local certificate store":
If the Web UI (DC Web Console) displays a warning in your web browser like this, whereby it says the Command Server website is misconfigured or your computer is set to the wrong time, this likely means that the SSL certificate has expired on the Command Server, and will need to be manually renewed using the steps in this guide:
Once the SSL certificate is manually renewed and the Command Server's services have been restarted, then you can retry Steps 8-9 in this guide.