How to Generate a selfsigned certificate and update all the certificates in HAA

News Knowledge Base
,
1

How to Generate a selfsigned certificate and update all the certificates in HAA ? How to change HAA certificates? How to change webUi certificate for HAA?

Generating a private key and certificate signing request (CSR)

These steps are only required to be performed on one HAA node. Once the new certificate is installed, it will be propagated to all other HAA nodes.

  • Log into your primary HAA server via SSH.
  • Navigate to a temporary working directory of your choice (e.g. /home//temp)
  • Using any text editor such as nano, create an OpenSSL configuration file called haa1.cnf with the following contents, then:
    • Update the locality parameters as required e.g. countryName, localityName
    • Under commonName and DNS.1 replace haa1.uipath.local with the FQDN of your primary HAA node.
  • Under DNS.2 and DNS.3 replace haa2.uipath.local and haa3.uipath.local with the FQDNs of your secondary and tertiary HAA nodes.
  • Whilst still in your working folder, run the following command to generate a private key and CSR. openssl req -out haa1.csr -newkey rsa:2048 -nodes -keyout haa1.key -config haa1.cnf
  • You will then have 3 files in your current folder
    • haa1.csr
    • haa1.key
    • haa1.cnf

You have to retype the parameters when requested for it to work! Below you have to type “GB” when presented with GB

Submitting the CSR to your certificate authority (CA)

  • Submit the haa1.csr to your CA. The CA will return to you a signed certificate. The process for doing this can vary between organizations, please ask IT for the procedure or if they can do it on your behalf.
  • Verify that the certificate is in Base64 format by opening it in notepad. If it in Base64 format it will look similar to the below:
  • If it does not look similar to the above the certificate will require conversion to Base64.
    • For Windows users, if a Windows-based CA returns a p7b file, you can double-click it and export the certificate directly to Base64 PEM. You may disregard the root certificate, only the host certificate is required.
    • For other formats, convert the certificate returned to you into a Base64 format with the PEM extension. A useful link for handling certificate conversions is here. You may disregard the root certificate, only the host certificate is required.
  • In your working directory back on the HAA server, create a new file named haa1.pem in the folder and copy-paste the contents of the new certificate into it.
  • You will now have 4 files in the folder:
    • haa1.csr
    • haa1.key
    • haa1.cnf
    • haa1.pem



Installing the certificate returned by the CA into Redis

  • Switch to a user with root permissions.
  • Navigate to /opt/redislabs/bin
  • Run ./rladmin
  • Run cluster certificate set cm certificate_file key_file For example: cluster certificate set cm certificate_file /home/darren/haa1.pem key_file /home/darren/haa1.key
  • Rerun the command an additional 4 times, but each time replacing cm with the flag for other components of the HAA:
    • cluster certificate set api certificate_file key_file
    • cluster certificate set proxy certificate_file key_file
    • cluster certificate set syncer certificate_file key_file
    • cluster certificate set metrics_exporter certificate_file key_file
  • Exit rladmin with the exit command.
  • Reboot the HAA server using shutdown -r now
  • The next time you navigate to http://haa1.uipath.local:8443 the site will be trusted. Other nodes will also be automatically updated to use the new certificate.