Renewing the (Default) PMM Certificate

Posted in: Technical Track
PMM certificate

Recently one of our colleagues was struggling with the default self-signed SSL certificate that ships with Percona Monitoring and Management (PMM). He needed an older version of PMM to run in a test environment for a particular project. He was using Docker to run the PMM container, however when the container started up, the SSL certificate configured in Nginx was already expired. MacOS and Google Chrome didn’t want to import the expired certificate in the trust store, so we couldn’t access the PMM web UI. 

 

 

 

This challenge led me to help him recreate the certificate to unblock his project. So, let’s get started.

Disclaimer: you should not use the default certificate for anything else other than for testing on your local machine. As soon as you’re thinking about running Percona Monitoring and Management  (PMM), you should configure a valid certificate signed by a certification authority (CA) that you trust. Your company might already be running its own CA. If not, you can always fall back to an external CA, such as  a non-profit, open CA like Let’s Encrypt (www.letsencrypt.org).

Next, you need to connect to your container to access the files. This command gives  you access to a terminal inside the container:

$ docker exec -ti pmm-server /bin/bash                                                                                            
[[email protected] opt]#

PMM stores the certificates for PMM in the /srv/nginxdirectory inside the container:

[[email protected] opt]# ls -hl /srv/nginx/certificate.*
total 28K
-rw-r--r-- 1 root root  137 Oct 19  2020 certificate.conf
-rw-r--r-- 1 root root  977 Oct 19  2020 certificate.crt
-rw-r--r-- 1 root root 1.7K Oct 19  2020 certificate.key

The certificate.crt file is the actual certificate used by Nginx, the certificate.key file contains the private key used by the SSL certificate. Make sure to keep this key secure. If you want to create your own certificate you should also generate a new key for it.

The third file in this folder is the configuration file used to generate the original certificate shipped with the container. This helps to generate the exact same certificate currently in use:

[[email protected] opt]# cat /srv/nginx/certificate.conf

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
O                  = Main Org.

First, a certificate request. I’ll  use openssl to create the request:

[[email protected] opt]# openssl req \  # use the req subcommand to create request
  -new \                                # create a new request
  -key /srv/nginx/certificate.key \     # re-use the existing key
  -config /srv/nginx/certificate.conf \ # use the provided config
  -out /srv/nginx/certificate.csr       # write the request to a file

[[email protected] opt]# ls -hl /srv/nginx/certificate.csr
-rw-r--r-- 1 root root 891 Dec 15 18:41 /srv/nginx/certificate.csr
[[email protected] opt]#

Next, sign the certificate request. This can be done by a trusted CA or you can sign the request yourself. However, in the latter case, the certificate won’t be trusted by your browser by default. Keep this in mind as it might cause alerts or issues in your browser.

To self-sign the certificate, use the following command:

[[email protected] opt]# openssl x509 \ # use the x509 subcommand, to handle certs
  -req \                                # input is a cert request, sign and output
  -in /srv/nginx/certificate.csr \      # input is the request file
  -signkey /srv/nginx/certificate.key \ # we self-sign the cert with our own key
  -out /srv/nginx/certificate.crt       # output certificate to a file

Signature ok
subject=/O=Main Org.
Getting Private key
[[email protected] opt]#

By default, the certificate remains signed  for 30 days. This will make you repeat this procedure every month, so if you add the parameter -days 1000 you can sign the certificate for a period of about 3 years.

We now have a new crt file to use with Nginx:

[[email protected] opt]# ls -hl /srv/nginx/certificate.*
-rw-r--r-- 1 root root  137 Oct 19  2020 /srv/nginx/certificate.conf
-rw-r--r-- 1 root root  977 Dec 15 18:43 /srv/nginx/certificate.crt
-rw-r--r-- 1 root root  891 Dec 15 18:41 /srv/nginx/certificate.csr
-rw-r--r-- 1 root root 1.7K Oct 19  2020 /srv/nginx/certificate.key
[[email protected] opt]#

The only remaining step is to restart Nginx to start using the new certificate. PMM uses supervisord to manage the different applications it runs:

[[email protected] opt]# supervisorctl restart nginx
nginx: stopped
nginx: started
[[email protected] opt]#

Et voilà. A fresh self-signed certificate to use for all your testing purposes:

 

Renewing the default self-signed certificate for PMM is very simple. However, you should be warned that running a self-signed certificate will still require changes to the browser certificate trust store. This is not recommended for anything more than some testing purposes.

 

Feel free to drop any questions in the comments and don’t forget to sign up for the next post.

 

 

 

email
Want to talk with an expert? Schedule a call with our team to get the conversation started.

About the Author

Principal Consultant
Matthias has been passionate about computers since the age of 10. He has been working with them ever since. Currently he's a Lead Database Consultant in one of the MySQL teams at Pythian where he's the technical lead for his team. Together with his team he works to provide the best possible service to the customers.

No comments

Leave a Reply

Your email address will not be published.