New Worker node adding issue - Wazuh manager cluster

[CJK]

Hi Team,

I am facing a SSL certificate validation issue while trying to add a new wazuh worker node to my wazuh manager cluster. Can someone help on this?

Refered url : https://documentation.wazuh.com/4.7/user-manual/upscaling/adding-server-node.html#id2

added master node and new worker details in config.yml and used existing root.ca for certificate creation

while checking Filebeat test output there is an error - Pfa

Thanks

[Stuti Gupta]

Hi CJK

It seems you're following the distributed deployment update process. Please make sure that you have created the certificates first, following the steps mentioned in the documentation here: Distributed Deployment Guide - Adding a Server Node.

We recommend you utilize pre-existing root-ca keys to generate certificates for new nodes. Perform the steps below on your existing Wazuh server node to generate the certificates.

Create a config.yml file in the /root directory to add the new Wazuh server node(s):
touch /root/config.yml

Edit the /root/config.yml file to include the node name and IP of the new node:
nodes:
  # Wazuh server nodes
  server:
    - name: <EXISTING_WAZUH_SERVER_NODE_NAME>
      ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS>
      node_type: master
    - name: <NEW_WAZUH_SERVER_NODE_NAME>
      ip: <NEW_WAZUH_SERVER_IP>
      node_type: worker
Replace the values with your node names and their corresponding IP addresses.

Extract the wazuh-certificates.tar file.
mkdir wazuh-install-files && tar -xf ./wazuh-certificates.tar -C wazuh-install-files

Download and run ./wazuh-certs-tool.sh to create the certificates for the new Wazuh server node using the pre-existing root-ca keys:
curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh
bash wazuh-certs-tool.sh -A wazuh-install-files/root-ca.pem wazuh-install-files/root-ca.key


Copy the newly created certificates to the wazuh-install-files folder making sure not to replace the admin certificates:
cp wazuh-certificates/<NEW_WAZUH_SERVER_NODE_NAME>* wazuh-install-files
cp wazuh-certificates/<EXISTING_WAZUH_SERVER_NODE_NAME>* wazuh-install-files

Compress the certificates folder into a new wazuh-certificates.tar file and copy it to the new Wazuh server node(s). You can make use of the scp utility to securely copy the compressed file:
tar -cvf ./wazuh-certificates.tar -C ./wazuh-install-files/ .
scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:

This will copy the certificates to the home directory of the logged in user on the target system. You can change this to specify a path to your installation directory.

Then you need to Configure existing components to connect with the new node following the steps mentioned here: https://documentation.wazuh.com/4.7/user-manual/upscaling/adding-server-node.html#id2
Once the certificates have been created and copied to the new node(s), you can now proceed with installing and configuring the Wazuh server node. For that refer https://documentation.wazuh.com/4.7/user-manual/upscaling/adding-server-node.html#wazuh-server-node-s-installation

Follow these steps and document to add the worker node.

Hope this helps

[CJK]

Hi Stuti,

Thanks for the reply

I have followed the same steps but i have missed one can you help me on my doubt?. 

> Compress the certificates folder into a new wazuh-certificates.tar file and copy it to the new Wazuh server node(s). You can make use of the scp utility to securely copy the compressed file:
tar -cvf ./wazuh-certificates.tar -C ./wazuh-install-files/ .
scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>: 

 

------ Same steps followed until this.

 .> Then you need to Configure existing components to connect with the new node following the steps mentioned here: https://documentation.wazuh.com/4.7/user-manual/upscaling/adding-server-node.html#id2

 

On this step i have missed one. In the following step mentioned <EXISTING_WAZUH_SERVER_NODE_NAME> is my master node so do i really need to redeploy the certificates in master as per the above Doc? If so i have one more existing worker node so do i consider to rotate certificate there as well? 

Note: I have 3 collector nodes and 3 analyser nodes. previously it was 2 collector and 3 analyser. we are trying to configure 3rd collector node.

Skipped step > 

1. Deploy the Wazuh server certificates on your existing nodes by running the following commands replacing <EXISTING_WAZUH_SERVER_NODE_NAME> with the name of the Wazuh server node you are configuring as defined in /root/config.yml.

NODE_NAME=<EXISTING_WAZUH_SERVER_NODE_NAME>

rm -rf /etc/filebeat/certs
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

Thanks 

[CJK]

Hi Stuti,

Any updates? can you help me on the above query?

[Stuti Gupta]

Basically, you would need to modify your config.yml to add the new nodes and then run this tool while using the rootCA that you already have. This way, you won’t need to re-generate and re-deploy all your certificates, just do it for the new nodes. f you have previous certificate files copy those certificates and place those in the new nodes. I will request you to keep a backup of your previous certificate. So that in case you run into an error you can roll back to the previous stage. If you have multiple existing worker nodes, consider whether they also need their certificates rotated, especially if they cant communicate with the new worker node.