Modify server certificate for communication between OpenResty Edge components

Supported versions: 22.9.1-19

1. Preface

Communication between OpenResty Edge components with different roles is encrypted. The relevant certificates are provided inside the configuration package, and if you need to make changes, you can do so by following the steps below.

If you just want to set the server certificate for the Edge Admin Console, replace the following two files, and the subsequent steps are not required.

/usr/local/oredge-admin/conf/ssl/ssl.crt
/usr/local/oredge-admin/conf/ssl/ssl.key

2. Set up the OpenResty Edge Log Server

The Edge Log Server listens on port 12346 for Edge Admin and Edge Node access. Therefore, we need to replace the server certificate used on this port.

Suppose your certificate name is:

  • NEW_LOG_SERVER.crt: your Log Server certificate, in pem format.
  • NEW_LOG_SERVER.key: your Log Server secret key.
# Backup
cp /usr/local/oredge-log-server/conf/or/edge_log_server.crt /usr/local/oredge-log-server/conf/or/edge_log_server.crt_bk
cp /usr/local/oredge-log-server/conf/or/edge_log_server.key /usr/local/oredge-log-server/conf/or/edge_log_server.key_bk

# Replace
cp NEW_LOG_SERVER.crt /usr/local/oredge-log-server/conf/or/edge_log_server.crt
cp NEW_LOG_SERVER.key /usr/local/oredge-log-server/conf/or/edge_log_server.key

# Restart the service
sudo systemctl start upgrade-oredge-log-server

3. Set up OpenResty Edge Admin

Edge Admin will enable port 12345 for Edge Node access and will also access Edge Log Server. So we need to replace the server certificate of Edge Admin and add the CA certificate of Edge Log Server to the trusted certificate set.

3.1 Update Certificate

Assume that your certificate name is:

  • NEW_ADMIN.crt: your Admin certificate, in pem format.
  • NEW_ADMIN.key: your Admin secret key.
  • NEW_LOG_SERVER_CA.crt: the CA to generate your Log Server certificate.
# Backup
cp /usr/local/oredge-admin/conf/or/edge_admin.crt /usr/local/oredge-admin/conf/or/edge_admin.crt_bk
cp /usr/local/oredge-admin/conf/or/edge_admin.key /usr/local/oredge-admin/conf/or/edge_admin.key_bk

# Replace
cp NEW_ADMIN.crt /usr/local/oredge-admin/conf/or/edge_admin.crt
cp NEW_ADMIN.key /usr/local/oredge-admin/conf/or/edge_admin.key

# Add a trust certificate
cat NEW_LOG_SERVER_CA.crt | sudo tee -a /usr/local/oredge-admin/conf/or/ca-bundle.crt

3.2 Update configuration

Edit the file: /usr/local/oredge-admin/conf/config.ini and add the following to the log_server configuration block.

mbus_sni=SERVER_NAME

# Example.
# mbus_sni=my.logserver.com

3.3 Restarting the service

sudo systemctl start upgrade-oredge-admin

4. Setting up the OpenResty Edge Node

The Edge Node will actively access the Edge Log Server and Edge Admin. Therefore, you need to add the CA certificates of Edge Log Server and Edge Admin respectively to the certificate trust list of Edge Node.

Suppose your certificate name is:

  • NEW_LOG_SERVER_CA.crt: The CA that generated your Log Server certificate.
  • NEW_ADMIN_CA.crt: CA to generate your Admin certificate.

4.2 Adding trust certificates

### Add a trust certificate
cat NEW_LOG_SERVER_CA.crt | sudo tee -a /usr/local/oredge-node/conf/or/cert/ca-bundle.crt
cat NEW_ADMIN_CA.crt | sudo tee -a /usr/local/oredge-node/conf/or/cert/ca-bundle.crt

4.2 Update configuration

Edit the file: /usr/local/oredge-node/conf/config.ini and add the following to the log_server configuration block.

mbus_sni=SERVER_NAME

# Example.
# mbus_sni=my.logserver.com

Edit the file: /usr/local/oredge-node/conf/config.ini and add the following to the admin configuration block.

ssl_host=SERVER_NAME

# Example.
# mbus_sni=my.admin.com

4.3 Restarting the service

sudo systemctl start upgrade-oredge-node

The above are all the steps to modify the OpenResty Edge server certificate. If you do not have server certificates, refer to this document Generate Certificates for OpenResty Edge Components.