Lets Encrypt Automation - wildcard automated install

[pezhore]

Version

2.4.211

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

14

RAM

32

Storage for /

1TB

Storage for /nsm

256GB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I'm working on a fresh install of security onion on a minisforum dedicated bit of hardware. My internal domain ends with .dev - which requires a valid, non-self signed certificate.

I use a dedicated certbot lxc container that handles DNS based wildcard cert renewals, with post hooks using ansible to deploy said cert to my various homelab systems, and I would like to follow a similar pattern for my security onion system.

I've tried the following methods:

1. Various instructions online say to replace the managerssl.crt and managerssl.key files with LE certs, but that only appeared to take effect until the next salt run - this was enough to let me try the second method.
2. The guide had a permanent effect, but copy the contents of cert/key into a web page isn't automatable, and if that cert lapses, I'm stuck going back to the manual overwriting above.

Is there a better way to programmatically set the nginx fullchain/cert and key? I can figure out how to wrap ansible around it and share that back to the community.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Have you tried this? https://docs.securityonion.net/en/2.4/nginx.html#replacing-default-cert

[pezhore]

Yes - that's method two that I mentioned. Unfortunately, it looks like you have to copy/paste the entire contents of the cert/key in the webui which isn't a very automatable method.

Unless I'm misreading and I can put in the full path to the certificate/key instead of the cert/key contents?

[cm-ops]

Currently yes, you need to put the contents of the .crt and .key in the configurations.

[pezhore]

Is there any plan to allow for file-system paths? I noticed in the /SecurityOnion/salt/nginx/ssl.sls salt state file, there's something interesting:

{%   if GLOBALS.role != 'so-fleet' %}
{#     if the user has selected to replace the crt and key in the ui #}
{%     if NGINXMERGED.ssl.replace_cert %}

managerssl_key:
  file.managed:
    - name: /etc/pki/managerssl.key
    - source: salt://nginx/ssl/ssl.key
    - mode: 640
    - group: 939
    - watch_in:
      - docker_container: so-nginx

managerssl_crt:
  file.managed:
    - name: /etc/pki/managerssl.crt
    - source: salt://nginx/ssl/ssl.crt
    - mode: 644
    - watch_in:
      - docker_container: so-nginx

{%   else %}

Since I've replaced the contents of the key and cert in the UI it looks like the nginx ssl salt state will just watch for changes of the managerssl.key and managerssl.crt and restart the docker container? (My knowledge of salt isn't great)

But I'm not sure if there's another salt state file that ensures the contents of the key and cert match what's in the UI (probably?), but if not, could I just update those two files with my ansible code base and call it a day?

[cm-ops]

If you place the cert/key in /opt/so/saltstack/local/salt/nginx/ssl/ Salt will place it in /etc/pki . Both managerssl.crt and managerssl.key are managed files by Salt and having something in the local nginx directory will apply when Salt runs that state.