Skip to content

SSL Configuration

Pre-requistes

Following are required things for SSL change * SSL key and csr generation tools (https://www.thesslstore.com/knowledgebase/ssl-generate/csr-generation-guide-for-nginx-openssl/) * Access to NameCheap website (or Simpatra domain hosting provider service) * GCP access for Simpatra (Admin level access is required) * K8S know how * Base64 encoder/decoder tool (https://www.base64decode.org/) * Cert reading tool (https://www.sslshopper.com/certificate-decoder.html) * This ultimate guide

Steps

Cert generation

  • Make sure you have created the CSR and private key (PK) on your machine using exact details that are required for Simpatra domain. Please keep safe these values
  • Encode these values of the CSR and PK using any base64 encoder tool. Use Windows CR/LF encoding scheme
  • Navigate to Simpatra hosting provider (in this case its namecheap service)
  • Navigate to DomainList->Simpatra.com->Products->Active Cert and click on Manage button
  • Follow the steps for getting the cert from this website as per the instructions displayed
  • Download the cert file and encode them to Base64 similarly.

Replace Certs in GCP

  • Login to GCP
  • Select the appropriate project (sim-microservices-prod and sim-microservices-dev)
  • Navigate to K8S pods and selec the configuration and secrets
  • Open the simpatra-com-credential secret and click on kubectl -> Edit
  • Replace the key and cert values with Base64 encoded values of the certificate downloaded from above steps.
  • Save the YAML files, and exit the K8S console. It should say replaced configuration
  • Perform similar steps for simpatra-services-credential secret. This time use Base64 encoded key and cert value for the simpatra.services that we had
  • In same secret configuration select istio-ca-cert Secret and replace only the ca-cert and ca-key parameters, following same steps as above
  • In istio-security as well replace the certificate with the main simpatra.com website certificate base64 encoded value

Note: In any scenario if you wish to change the pod or security related configuration please wait for few minutes for the cert to reflect in the GCP

PS: We faced an upgrade of node issue by the GCP team when we completed this operation. This made the website down for few minutes (30-45 mins). However, during this, the domain and all pods were running fine (most important to note).

Test

In the K8S cluster if you go, there you should see your cluster in good health. You can click on "Show cluster certificate" link to make sure it shows you the right certificate

NEVER PUT CERTIFICATE ON LOAD BALANCER

Certificate chain

In case you receive error that intermediate certificate are missing, please check the certificates with following tool (https://tools.keycdn.com/certificate-chain)

The certificate that you receive then have to be put back into the secrets of particular service.