cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
912
Views
1
Helpful
6
Replies

How to install SSL Certificate for RADKit Service on Linux?

bradleyrose
Level 1
Level 1

I've got the RADKit Service alive on our network on a Linux machine! I installed it via Python / Pip, and the process was quite straightforward. I've got everything up-and-running, and the client is able to connect to the service perfectly.

The last thing I'm wanting to configure is an SSL certificate for the RADKit service page so we don't have to use the self-signed certificate. I've been digging through the RADKit docs and found the relevant TOML setting(s) to modify, but I can't seem to get anything to stick properly.

I have the private key (hostname.key), the CSR (hostname.csr), and the signed CA certificate (hostname.cer). I'm looking for instructions on how to install this signed certificate properly to allow the application to use this so our team is not presented with the unsigned SSL certificate warning in their browser each time they access RADKit. Any ideas?

I changed the following settings in `settings.toml` to no prevail:

 

 

[service.ui]
port_https = 443
cert_file = "hostname.pem"
key_file = "hostname.key"

 

 

When these settings are set and I restart the service, the service won't run.

 

[root@hostname.service]# systemctl status radkit
● radkit.service - RADKit Service
     Loaded: loaded (/etc/systemd/system/radkit.service; enabled; preset: disabled)
     Active: activating (auto-restart) (Result: exit-code) since Thu 2023-08-31 13:56:32 EDT; 2s ago
    Process: 259224 ExecStart=/opt/radkit/venv/bin/radkit-service run --headless (code=exited, status=1/FAILURE)
   Main PID: 259224 (code=exited, status=1/FAILURE)
        CPU: 2.736s

 

> journalctl | grep radkit | tail
Aug 31 14:02:20 hostname radkit-service[259919]: 18:02:20.266Z CRITI | internal | Terminating RADKit Service unexpectedly. [reason='Webserver key is not encrypted'

I've had to set these back to the self-signed defaults for now.

6 Replies 6

bradleyrose
Level 1
Level 1

I think the logs answered my question for me. I don't know if I encrypted the private key upon generation with OpenSSL.

I'll report back with the commands used and actions taken once I try another certificate with an encrypted private key.

bradleyrose
Level 1
Level 1

I now have a new certificate that was generated via an encrypted private key, and I can't seem to properly feed it to the application for usage.

The certificate was created with the following command:

openssl req -new -newkey rsa:2048 -keyout radkit.key -out radkit.csr

I tried loading the following settings into my `settings.toml` file:

[service.ui]
cert_file = "radkit.pem"
key_file = "radkit.key"

The application fails to start once those are inserted:

context.load_cert_chain(
Sep 12 16:05:49 <hostname> radkit-service[624424]: ssl.SSLError: [SSL] PEM lib (_ssl.c:4065)

I don't know where to go from here. Anyone able to help out?

bradleyrose
Level 1
Level 1

Do I need to pass my encryption password to the application somehow so it's able to read the encrypted key?

TheoM
Level 1
Level 1

I had the same issue only I run my service in windows and I have it installed for "All Users". You need to use the "radkit-service webserver-certificate import" command.

Besides the certificate and the encrypted key, you need also the issuer chain in pem format. The below worked for me.
It's better to pass the "--radkit-directory" option in the commands even if you use the default service directory.


# Run the service
PS C:\Program Files\Cisco RADKit\env\Scripts> .\radkit-service --radkit-directory C:\ProgramData\Cisco\RADKit\service\ run


# import your certificate
PS C:\Program Files\Cisco RADKit\env\Scripts> .\radkit-service --radkit-directory C:\ProgramData\Cisco\RADKit\service\ webserver-certificate import --certificate C:\tmp\radkit.pem --private-key C:\tmp\radkit.key --issuer-chain C:\tmp\issuer-chain.pem

Superadmin password: ************* [correct]
Private key passphrase: *************
New certificate has been imported successfully.

PS C:\Windows\system32>

 

Hope that helps.

Hello @bradleyrose,

It seems like you're facing challenges installing an SSL certificate for the RADKit Service on Linux. Based on the information you provided, it appears there might be an issue with the certificate file format or encryption.

Firstly, ensure that the certificate file (`hostname.pem`) contains both the signed certificate and the intermediate CA certificate, and the key file (`hostname.key`) is the private key file associated with the certificate. Additionally, check if the files are in the correct paths.

Considering the error message "Webserver key is not encrypted," it seems there might be an encryption-related problem with your key file. Make sure that your private key is not encrypted or, if it is, provide the necessary passphrase during the configuration.

Try updating your `settings.toml` as follows:

```toml
[service.ui]
port_https = 443
cert_file = "/path/to/hostname.pem"
key_file = "/path/to/private/hostname.key"
```

Remember to replace `/path/to/` with the actual path to your certificate and private key files.

After making these changes, restart the RADKit Service and check the status using `systemctl status radkit`. If you encounter any further issues, the error messages in the logs or journalctl may provide more details on the problem.

If the problem persists, you may want to consult the RADKit documentation or seek assistance from the RADKit community for specific guidance on SSL certificate installation. They might have insights into any additional requirements or considerations for the RADKit Service on Linux.

gosekar
Cisco Employee
Cisco Employee

Just extending TheoM's answer to Linux.

Optional: In case you haven't encrypted your private key in the first place 

[gosekar@radkit-server ~]$ openssl rsa -aes256 -in /home/gosekar/cert/radkit-server.cisco.com.key -out /home/gosekar/cert/radkit-server.cisco.com.encrypted.key
writing RSA key
Enter pass phrase: ########
Verifying - Enter pass phrase: ########

Import certificate using 'radkit-service'

[gosekar@radkit-server ~]$ radkit-service webserver-certificate import --certificate /home/gosekar/cert/radkit-server.cisco.com.cer --private-key /home/gosekar/cert/radkit-server.cisco.com.encrypted.key --issuer-chain /home/gosekar/cert/hydssl.cer 
Superadmin password: *********
Private key passphrase: ########
New certificate has been imported successfully.
[gosekar@radkit-server ~]$ sudo systemctl restart radkit.service
radkit-server.cisco.com.cer Server's certificate
radkit-server.cisco.com.encrypted.key Server's encrypted private key
hydssl.cer Intermediate CA's certificate