Introduction
Suppose you have tried deploying the Red Hat OpenShift® software using the new Nutanix® Marketplace released with the Nutanix Prism Central™ (PC) 2023.1.0.1 release, and PC is using the default self-signed SSL certificate. In that case, you likely got an error message saying your PC SSL certificate didn’t seem valid. The marketplace uses the OpenShift Installer Provisioned Infrastructure (IPI) installation method. This method communicates with the PC API to create, update, and delete OpenShift clusters. It requires PC to have installed a valid SSL certificate signed by a public certificate authority (CA) or a well-formed self-signed certificate.
If you have a public domain, you can quickly overcome this issue using Let’s Encrypt™ certificate authority. Still, if this is not the case, then you’ll have to generate a self-signed certificate with a subject alternative name (SAN) that includes the PC IP address or the fully qualified domain name (FQDN). The recommended method is to include both the PC IP address and the FQDN.
The following code snippet based on the Nutanix AOS™ Security Guide is the easiest way to generate a 10-year valid self-signed certificate for PC and successfully deploy your OpenShift Kubernetes® clusters.
In this blog, we will be using the Nutanix Dev Station™ toolkit for this purpose. If this is your first time hearing about it, check out the article “Nutanix Dev Station: A containerized toolkit for managing Nutanix and Kubernetes”. Using the Nutanix Dev Station is optional, you just need a machine with OpenSSL version 1.1.1 or later.
Option 1: PC IP + FQDN (Recommended)
- Open a terminal in the Nutanix Dev Station.
- Set an environment variable called PC_IP with the PC IP address, and an environment variable called PC_FQDN with the PC FQDN.
export PC_IP=10.42.239.39
export PC_FQDN=pc.ntnxlab.local
- Generate the self-signed certificate.
openssl req -x509 -nodes -days 3650 \
-newkey rsa:2048 -keyout ${PC_IP}.key -out ${PC_IP}.crt \
-subj "/C=US/ST=CA/L=San Jose/O=Nutanix Inc./OU=Manageability/CN=*.nutanix.local" \
-addext "subjectAltName=IP:${PC_IP},DNS:${PC_FQDN}"
- Replace your PC certificate with the generated files (Importing an SSL Certificate)
- Use the *.crt file for the Public Certificate and CA Certificate/Chain.
- Use the *.key file for the Private Key.
Option 2: PC IP
- Open a terminal in the Nutanix Dev Station.
- Set an environment variable PC_IP with the PC IP address.
export PC_IP=10.42.239.39
- Generate the self-signed certificate.
openssl req -x509 -nodes -days 3650 \
-newkey rsa:2048 -keyout ${PC_IP}.key -out ${PC_IP}.crt \
-subj "/C=US/ST=CA/L=San Jose/O=Nutanix Inc./OU=Manageability/CN=*.nutanix.local" \
-addext "subjectAltName=IP:${PC_IP}"
- Replace your PC certificate with the generated files (Importing an SSL Certificate)
- Use the *.crt file for the Public Certificate and CA Certificate/Chain.
- Use the *.key file for the Private Key.
Option 3: PC FQDN
- Open a terminal in the Nutanix Dev Station.
- Set an environment variable PC_FQDN with the PC FQDN.
export PC_FQDN=pc.ntnxlab.local
- Generate the self-signed certificate.
openssl req -x509 -nodes -days 3650 \
-newkey rsa:2048 -keyout ${PC_FQDN}.key -out ${PC_FQDN}.crt \
-subj "/C=US/ST=CA/L=San Jose/O=Nutanix Inc./OU=Manageability/CN=*.nutanix.local" \
-addext "subjectAltName=DNS:${PC_FQDN}"
- Replace your PC certificate with the generated files (Importing an SSL Certificate)
- Use the *.crt file for the Public Certificate and CA Certificate/Chain.
- Use the *.key file for the Private Key.
Once the PC page reloads, you can proceed to the Nutanix Marketplace and test the deployment of an OpenShift cluster. Depending on what method you chose to generate the certificate, IP-based or FQDN-based, use the same way when setting the value for the Prism Central FQDN variable.
If this is the first time you deploy a Red Hat OpenShift cluster using the Nutanix Marketplace, we recommend you watch the following video: Red Hat OpenShift Nutanix Marketplace Installation | AHV Mission Control | Nutanix University
This post may contain express and implied forward-looking statements, which are not historical facts and are instead based on our current expectations, estimates and beliefs. The accuracy of such statements involves risks and uncertainties and depends upon future events, including those that may be beyond our control, and actual results may differ materially and adversely from those anticipated or implied by such statements. Any forward-looking statements included herein speak only as of the date hereof and, except as required by law, we assume no obligation to update or otherwise revise any of such forward-looking statements to reflect subsequent events or circumstances.