(Migrated) SSL cert setup for production

(This message has been automatically imported from the retired mailing list)

For production setup, how can I pypass the CA setup and use our own SSL cert?


Veðurstofa Íslands | Icelandic Met Office

Bústaðavegur 7-9, 108 Reykjavík

Sími +354 522 6000

www.vedur.is | en.vedur.is

E-mail Disclaimerhttp://www.vedur.is/um-vi/vefurinn/notkunarskilmalar/fyrirvari/

Hi Dariusz,

I am installing it from scratch on with one loadbalancer, one zato server cluster of two zato server nodes, with 3 redis nodes and sentinel fail over config.

Using this guide as reference: https://zato.io/docs/admin/guide/install-config/overview.html

I am at the point of making the CA.

zato create web_admin [-h] [–store-log] [–verbose] [–store-config]
[–postgresql_schema POSTGRESQL_SCHEMA] [–odb_password ODB_PASSWORD]
[–tech_account_password TECH_ACCOUNT_PASSWORD]
path odb_type odb_host odb_port odb_user odb_db_name
pub_key_path priv_key_path cert_path ca_certs_path

And its noted: Note that Zato ships with a simple CA https://zato.io/docs/admin/cli/ca.html that can be used on development environments.

On 01/03/16 15:13, “Dariusz Suchojad” dsuch@zato.io wrote:

On 01/03/16 16:09, Davíð Halldór Lúðvíksson wrote:

For production setup, how can I pypass the CA setup and use our own SSL
cert?

Hi Davíð,

do you have the environment ready or you are creating it from scratch now?

What is the procedure that you follow?

thanks,


Dariusz Suchojad

https://zato.io
ESB, SOA, REST, APIs and Cloud Integrations in Python


Veðurstofa Íslands | Icelandic Met Office

Bústaðavegur 7-9, 108 Reykjavík

Sími +354 522 6000

www.vedur.is | en.vedur.is

E-mail Disclaimerhttp://www.vedur.is/um-vi/vefurinn/notkunarskilmalar/fyrirvari/

Hi,

So is there any documentation of using external (not-build-in) CA for the zato.io setup?

On 01/03/16 15:35, “Dariusz Suchojad” dsuch@zato.io wrote:

On 01/03/16 16:24, Davíð Halldór Lúðvíksson wrote:

I am installing it from scratch on with one loadbalancer,
one zato server cluster of two zato server nodes, with 3 redis nodes and sentinel fail over config.

Using this guide as reference: https://zato.io/docs/admin/guide/install-config/overview.html

I am at the point of making the CA.

Right, I see, thanks.

You can use any CA really, there are no limits here. The components can
use either certificates created by your organization’s own CA, they can
be also bought or issued by letsencrypt.org.

And its noted: Note that Zato ships with a simple CA
https://zato.io/docs/admin/cli/ca.html that can be used on
development environments.

Yes, that’s correct - this was added for convenience only but there are
no plans to turn it into an actual CA. From the technical viewpoint it
produces fully working certificates but it is not a priority to make it
have more features than what is needed during development.

thanks,


Dariusz Suchojad

https://zato.io
ESB, SOA, REST, APIs and Cloud Integrations in Python


Veðurstofa Íslands | Icelandic Met Office

Bústaðavegur 7-9, 108 Reykjavík

Sími +354 522 6000

www.vedur.is | en.vedur.is

E-mail Disclaimerhttp://www.vedur.is/um-vi/vefurinn/notkunarskilmalar/fyrirvari/

On 01/03/16 16:09, Davíð Halldór Lúðvíksson wrote:

For production setup, how can I pypass the CA setup and use our own SSL
cert?

Hi Davíð,

do you have the environment ready or you are creating it from scratch now?

What is the procedure that you follow?

thanks,

On 01/03/16 16:24, Davíð Halldór Lúðvíksson wrote:

I am installing it from scratch on with one loadbalancer,
one zato server cluster of two zato server nodes, with 3 redis nodes and sentinel fail over config.

Using this guide as reference: https://zato.io/docs/admin/guide/install-config/overview.html

I am at the point of making the CA.

Right, I see, thanks.

You can use any CA really, there are no limits here. The components can
use either certificates created by your organization’s own CA, they can
be also bought or issued by letsencrypt.org.

And its noted: Note that Zato ships with a simple CA
https://zato.io/docs/admin/cli/ca.html that can be used on
development environments.

Yes, that’s correct - this was added for convenience only but there are
no plans to turn it into an actual CA. From the technical viewpoint it
produces fully working certificates but it is not a priority to make it
have more features than what is needed during development.

thanks,

On 01/03/16 17:09, Davíð Halldór Lúðvíksson wrote:

So is there any documentation of using external (not-build-in) CA for the zato.io setup?

Hi Davíð,

please clarify what sort of documentation you are thinking of?

The process of using certificates does not depend on what kind of the CA
you are using so I’m not 100% sure what information is needed?

thanks,

Hi Dariusz

I will then setup our own CA authority, skip the zato CA commands and define those paths to the CA auhotorty on our first zato node which will have the web-admin setup.

pub_key_path Path to a PEM-encoded web admin’s public key~/crypto/zato.webadmin7.pub.pempriv_key_path
Path to a PEM-encoded web admin’s private key~/crypto/zato.webadmin7.priv.pemcert_path
Path to a PEM-encoded web admin’s certificate~/crypto/zato.webadmin7.cert.pemca_certs_path
Path to a PEM-encoded list of CA certificates web admin is to trust~/crypto/ca-cert.pem

Would just be nice have setup guide to make this more clear for production setup.

On 01/03/16 16:25, “Dariusz Suchojad” dsuch@zato.io wrote:

On 01/03/16 17:09, Davíð Halldór Lúðvíksson wrote:

So is there any documentation of using external (not-build-in) CA for the zato.io setup?

Hi Davíð,

please clarify what sort of documentation you are thinking of?

The process of using certificates does not depend on what kind of the CA
you are using so I’m not 100% sure what information is needed?

thanks,


Dariusz Suchojad

https://zato.io
ESB, SOA, REST, APIs and Cloud Integrations in Python


Veðurstofa Íslands | Icelandic Met Office

Bústaðavegur 7-9, 108 Reykjavík

Sími +354 522 6000

www.vedur.is | en.vedur.is

E-mail Disclaimerhttp://www.vedur.is/um-vi/vefurinn/notkunarskilmalar/fyrirvari/

On 02/03/16 12:14, Davíð Halldór Lúðvíksson wrote:

Would just be nice have setup guide to make this more clear for production setup.

Ok, this can be arranged. Please open a ticket in GitHub, describe in
detail what you need and it will be taken care of.

But I honestly ask you to provide details on what sort of step by step
docs you are thinking of - technically, there is no difference between a
development environment and production one.

In fact, quite a few people create a quickstart cluster, rename it to
‘Production’ and that is it, their production is created within 2 minutes.

So if you’d like to see something specific added for environments
similar to your production, please explain it fully in GH what your
production is like, how you set it up, how you configure it, how many
servers, operating systems there are, and it will be added to the
documentation.

thanks a lot,