Unsigned Certificate Warning when Connecting to NetQ UI
When I try to connect to the NetQ UI to configure my on-premises setup, I get a warning from my browser that the certificate is untrusted.
- Cumulus NetQ 3.0.0 - 3.1.0
The Cumulus NetQ UI ships with a self-signed certificate, which is why your browser issues a warning. You can avoid seeing this issue by installing your own signed certificate.
In order to use a custom certificate, you need the following:
- A valid X509 certificate.
- A private key file for the certificate.
- A DNS record name configured to access the NetQ UI. The FQDN should match the common name of the certificate. If you use a wild card in the common name — for example, if the common name of the certificate is *.example.com — then the NetQ telemetry server should reside on a subdomain of that domain, accessible via a URL like netq.example.com.
- Cumulus NetQ must be installed and running. You can verify this by running the
netq show opta-healthcommand.
To install a custom certificate:
Log in to the Cumulus NetQ telemetry server via SSH and copy your certificate and key file there.
Generate a Kubernetes secret called
netq-gui-ingress-tlsusing following command:
cumulus@netq-ts:~$ kubectl create secret tls netq-gui-ingress-tls \ --namespace default \ --key <name of your key file>.key \ --cert <name of your cert file>.crt
Verify that the secret is created:
cumulus@netq-ts:~$ kubectl get secret NAME TYPE DATA AGE netq-gui-ingress-tls kubernetes.io/tls 2 5s
Update the ingress rule file to install self signed certificates. Create a new file called
ingress.yamlwith following content. Make sure to replace
<your hostname>with the FQDN of the NetQ server.
apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: "ingress-nginx" nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600" nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" nginx.ingress.kubernetes.io/proxy-body-size: 10g nginx.ingress.kubernetes.io/proxy-request-buffering: "off" name: netq-gui-ingress-external namespace: default spec: rules: - host: <your hostname> http: paths: - backend: serviceName: netq-gui servicePort: 80 tls: - hosts: - <your hostname> secretName: netq-gui-ingress-tls
Run the following command:
cumulus@netq-ts:~$ kubectl apply -f ingress.yaml
If your ingress rule is successfully configured, a message like the following appears:
Your custom certificate should now be working. Verify it in the UI by visiting
https://<your hostname> in your browser.