WAZUH OVA dashboard certyficates replacements
Adam Groch
CONFIDENTIALITY NOTICE:
This email and any attachments may contain information that is privileged or confidential. If you are the intended recipient, please read and then delete this email and any attachments. If you are not the intended recipient, please delete the email and any attachments and notify the sender immediately. If you are not the intended recipient you may not copy, forward, disclose or use any part of this email. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions that arise as a result.
victor....@wazuh.com
Hello Adam,
Could you please clarify your use case?
I assume you want to renew or recreate the certificates for the OVA environment. In that case, you should follow the Deploying Certificates documentation, considering the following notes:
- Remove the existing "certs" directory before proceeding. For example, for the indexer, execute: rm -rf /etc/wazuh-indexer/certs
- OVA Indexer configuration expects wazuh-indexer-key.pem instead of indexer.pem
- OVA Filebeat configuration expects wazuh-server.pem instead of filebeat-key.pem
- OVA Dashboard configuration expects wazuh-dashboard.pem instead of dashboard-key.pem
You can follow these steps to execute all necessary actions:
- Create the config.yml file with the following content:
nodes:
# Wazuh indexer nodes
indexer:
- name: node-1
ip: 127.0.0.1
# Wazuh server nodes
server:
- name: wazuh-1
ip: 127.0.0.1
# Wazuh dashboard nodes
dashboard:
- name: dashboard
ip: 127.0.0.1
- Recreate the certificates by running: bash ./wazuh-certs-tool.sh -A
- Compress the necessary files:
tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
rm -rf ./wazuh-certificates
- Run the following script:
NODE_NAME=node-1
rm -rf /etc/wazuh-indexer/certs
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/wazuh-indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
systemctl restart wazuh-indexer
/usr/share/wazuh-indexer/bin/indexer-security-init.sh
NODE_NAME=wazuh-1
rm -rf /etc/filebeat/certs
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/wazuh-server.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/wazuh-server-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs
systemctl restart filebeat
filebeat test output
NODE_NAME=dashboard
rm -rf /etc/wazuh-dashboard/certs
mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
systemctl restart wazuh-dashboard
- Verify that your environment works as expected. In case of failure in your environment, please provide the indexer, dashboard and manager logs related to the error:
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
journalctl -u wazuh-dashboard
cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
Let me know if you have further doubts.