Introduction
This article describes how to update current SSL certificates on SES server.
Description
The following procedure explains how to upgrade the SSL certificate when this one expires or after FQDN change. This allow to avoid any SSL alert on browser when accessing SES Console web interface. We will first deploy the certificate on the gateway service before generalizing to ses-console and TRSL services.
Procedure
0) Pre-requisites
- Provide the 2 following files:
- x509 PEM encoded Base64 ASCII certificate (including certificate chain if required)
- unencrypted RSA Base64 key ASCII file and WITHOUT passphrase
The 2 files should contain the strings "-----BEGIN..." and "-----END...".
Note that if you certificate relies chain of trust, you have to concatenate in a single file:
1) server certificate (encoded as described above)
2) intermediate certificate (encoded as described above)
3) root certificate (encoded as described above)
Notes:
- Validate provided certificates using article "How to check and validate SSL certificate files?", more specifically "Check that your .key file matches your .crt file" paragraph.
- Check if certificates are also used by SSO (SAML)
Backup previous certificates
Perform a backup of previous certificates from directories if you choose to overwrite existing certificates :
/opt/systran/apps-node/translation-gateway/certificates/
/opt/systran/apps-node/translation-resource-store/certificates/
/opt/systran/apps-node/enterprise-server/certificates/
If you want to use different certificates names, then the configuration needs to be updated, as shown in this article.
1) Gateway SSL certificate & private copy
Copy the certificate & private key files into:
/opt/systran/apps-node/translation-gateway/certificates
If systran user is not the files owner, change it using following command
chown systran:systran /opt/systran/apps-node/translation-gateway/certificates/*
SES Gateway settings changes
You can edit (if already existing) or create /opt/systran/apps-node/translation-gateway/config/`hostname`.yaml.
Or you can also edit the original /opt/systran/apps-node/translation-gateway/config/default.yaml file.
Make sure the identations (spaces) are correct.
Gateway:
InputInterfaces:
translate-api:
port: 8903
https:
port: 8904
activate: true
privateKey: certificates/[your certificate].key
certificate: certificates/[your certificate].crt
Gateway service restart
Once the changes are made on SES gateway, restart the service on the server
systemctl restart systran-ses-gateway
Checks
Verify port 8904 is UP&RUNNING :
netstat -na | grep 8904
Verify port is open and certificate is correct :
curl -v https://localhost:8904/status
If check on gateway has been validated, then please proceed on console.
2) SES Console settings changes
Open 2 connections to web interface. The 2nd one is for security purposes, in case connectity is lost with first connection.
Go to Administration > Settings > HTTPS Settings then change the path for HTTPS certificate & private key fields as shown below :
Copy the certificate & private key files into:
/opt/systran/apps-node/enterprise-server/certificates
If systran user is not the files owner, change it using following command
chown systran:systran /opt/systran/apps-node/enterprise-server/certificates/*
Note :
The directory "certificates/" needs to remain in the 2 fields above, before the filename.
Console service restart
Once the changes are made on SES Console web interface, restart the service on the server
systemctl restart systran-ses-console
Checks
Then relog on SES Console web interface to verify login is successful.
Click on the lock and verify latest dates are now shown for certificate.
3) Model Studio : TRSL
In case Model Studio needs to deploy on SPNS server, the following needs to be performed for the local TRS :
Copy the certificate & private key files into:
/opt/systran/apps-node/translation-resource-store/certificates
If systran user is not the files owner, change it using following command
chown systran:systran /opt/systran/apps-node/translation-resource-store/certificates/*
SES TRSL settings changes
Edit the TRSL config file: /opt/systran/apps-node/translation-resource-store/config/default.yaml
https:
activate: true
privateKey: certificates/[your certificate].key
certificate: certificates/[your certificate].crt
Service restart
Restart the services on the server
systemctl restart systran-trs-console
Checks
Verify port 3445 is UP&RUNNING :
netstat -na | grep 3445