- 概述
- 要求
- 安装
- 安装后
- 集群管理
- 监控和警示
- 迁移和升级
- 特定于产品的配置
- 最佳实践和维护
- 故障排除
管理证书
安装流程会代表您生成自签名证书。这些证书符合 FIPS 标准,并将在 90 天后过期。安装完成后,您必须将这些证书替换为由受信任的证书颁发机构 (CA) 签名的证书。如果不更新证书,安装将在 90 天后停止工作。
如果您在启用 FIPS 的主机上安装了 Automation Suite,并想要更新证书,请确保它们与 FIPS 兼容。
安装捆绑包提供了一个集群管理工具,使您能够在安装后更新证书。 要访问该工具,请导航到安装程序捆绑包的位置:
cd /opt/UiPathAutomationSuite/
cd /opt/UiPathAutomationSuite/
要生成 CSR 和私钥,请运行以下命令:
# copy the machine openssl configuration locally
cp /etc/pki/tls/openssl.cnf ./openssl.tmp.cnf
# Replace the [AUTOMATION_SUITE_FQDN] value. For example, "automationsuite.corp.com"
AS_FQDN=[AUTOMATION_SUITE_FQDN]
cat >> ./openssl.tmp.cnf <<EOF
[SAN]
subjectAltName=DNS:$AS_FQDN,DNS:alm.$AS_FQDN,DNS:monitoring.$AS_FQDN,DNS:registry.$AS_FQDN,DNS:objectstore.$AS_FQDN,DNS:insights.$AS_FQDN
EOF
# create the certificate request
openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout server.key -subj "/C=xx/ST=xx/O=xx/OU=xx/CN=$AS_FQDN" -reqexts SAN -config openssl.tmp.cnf -out ${AS_FQDN}.csr
# copy the machine openssl configuration locally
cp /etc/pki/tls/openssl.cnf ./openssl.tmp.cnf
# Replace the [AUTOMATION_SUITE_FQDN] value. For example, "automationsuite.corp.com"
AS_FQDN=[AUTOMATION_SUITE_FQDN]
cat >> ./openssl.tmp.cnf <<EOF
[SAN]
subjectAltName=DNS:$AS_FQDN,DNS:alm.$AS_FQDN,DNS:monitoring.$AS_FQDN,DNS:registry.$AS_FQDN,DNS:objectstore.$AS_FQDN,DNS:insights.$AS_FQDN
EOF
# create the certificate request
openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout server.key -subj "/C=xx/ST=xx/O=xx/OU=xx/CN=$AS_FQDN" -reqexts SAN -config openssl.tmp.cnf -out ${AS_FQDN}.csr
您的 IT 团队使用获取的值生成签名证书。 生成的私钥保留在本地。
要查看有关服务器证书的更多信息,请运行以下命令:
sudo ./configureUiPathAS.sh tls-cert --help
sudo ./configureUiPathAS.sh tls-cert --help
输出:
************************************************************************************
Manage cluster tls and server certificate
Usage:
configureUiPathAS.sh tls-cert [command]
configureUiPathAS.sh tls-cert [flags]
Available Commands:
update Update the tls / server certificate
get Get the tls / server certificate
Flags:
-h|--help Display help
************************************************************************************
************************************************************************************
Manage cluster tls and server certificate
Usage:
configureUiPathAS.sh tls-cert [command]
configureUiPathAS.sh tls-cert [flags]
Available Commands:
update Update the tls / server certificate
get Get the tls / server certificate
Flags:
-h|--help Display help
************************************************************************************
./configureUiPathAS.sh tls-cert
命令执行的操作。
在线安装:如何查找服务器证书
istio-system
命名空间的istio-ingressgateway-certs
名称下找到证书。
请参阅以下列表中的证书文件:
- 服务器 TLS 证书存储为
tls.crt
- 作为
tls.key
的服务器 TLS 私钥 - CA 捆绑包存储为
ca.crt
您可以使用以下命令验证密码:
kubectl -n istio-system get secrets istio-ingressgateway-certs -o yaml
kubectl -n istio-system get secrets istio-ingressgateway-certs -o yaml
证书也存储在 UiPath 命名空间中。这适用于需要证书信息以信任传入调用的所有 UiPath™ 产品。有关详细信息,请参阅了解与证书相关的容器架构。
离线安装:如何查找服务器证书
rootCA.crt
和 tls.crt
:ArgoCD 和 Docker 注册表。 然后,证书将存储在 Docker 和 ArgoCD 命名空间中。
您可以使用以下命令验证密码:
# For docker registry
kubectl -n docker-registry get secrets docker-registry-tls -o yaml
# For Argocd
argocd cert list --cert-type https
# For docker registry
kubectl -n docker-registry get secrets docker-registry-tls -o yaml
# For Argocd
argocd cert list --cert-type https
如何更新服务器证书
要解密证书密钥,请运行以下命令:
# replace /path/to/encrypted/cert/key to absolute file path of key
# replace /path/to/decrypt/cert/key to store decrypt key
# Once prompted, please entry the passphrase or password to decrypt the key
openssl rsa -in /path/to/encrypted/cert/key -out /path/to/decrypt/cert/key
# replace /path/to/encrypted/cert/key to absolute file path of key
# replace /path/to/decrypt/cert/key to store decrypt key
# Once prompted, please entry the passphrase or password to decrypt the key
openssl rsa -in /path/to/encrypted/cert/key -out /path/to/decrypt/cert/key
configureUiPathAS.sh
脚本以更新证书,如下所示。您需要三个证书文件中每个文件的路径。所有证书文件均应采用PEM
格式。
- 证书颁发机构捆绑包 - 此捆绑包应仅包含用于签署 TLS 服务器证书的链证书。 链限制为最多 9 个证书。
- 服务器证书 - 公共服务器证书
-
私钥 - 服务器证书的私钥
sudo ./configureUiPathAS.sh tls-cert update --ca-cert-file /path/to/cacert --tls-cert-file /path/to/tlscert --tls-key-file /path/to/tlskey
sudo ./configureUiPathAS.sh tls-cert update --ca-cert-file /path/to/cacert --tls-cert-file /path/to/tlscert --tls-key-file /path/to/tlskey
/directory/path/to/store/certificate
位置。
要打印证书文件,请运行以下命令,并指定存储证书的目录。
sudo ./configureUiPathAS.sh tls-cert get --outpath /directory/path/to/store/certificate
sudo ./configureUiPathAS.sh tls-cert get --outpath /directory/path/to/store/certificate
您负责确保生成的证书受信任。
要将证书添加到主机虚拟机信任存储区,请在集群中的所有节点上运行以下命令:
# 1. Copy the certificate file to the /usr/share/pki/ca-trust-source/anchors/ or the /etc/pki/ca-trust/source/anchors/ directory
cp /path/to/the/ca-cert /usr/share/pki/ca-trust-source/anchors/
# 2. Update the trust store configuration
update-ca-trust
# 1. Copy the certificate file to the /usr/share/pki/ca-trust-source/anchors/ or the /etc/pki/ca-trust/source/anchors/ directory
cp /path/to/the/ca-cert /usr/share/pki/ca-trust-source/anchors/
# 2. Update the trust store configuration
update-ca-trust
要查看有关其他 CA 证书的更多信息,请运行以下命令:
./configureUiPathAS.sh additional-ca-certs --help
./configureUiPathAS.sh additional-ca-certs --help
输出:
***************************************************************************************
Manage additional CA certificates, this can be used to add sql server CA
Usage:
configureUiPathAS.sh additional-ca-certs [command]
configureUiPathAS.sh additional-ca-certs [flags]
Available Commands:
update Update the additional trusted CA certificates.
get Get the additional trusted CA certificates
Flags:
-h|--help Display help
***************************************************************************************
***************************************************************************************
Manage additional CA certificates, this can be used to add sql server CA
Usage:
configureUiPathAS.sh additional-ca-certs [command]
configureUiPathAS.sh additional-ca-certs [flags]
Available Commands:
update Update the additional trusted CA certificates.
get Get the additional trusted CA certificates
Flags:
-h|--help Display help
***************************************************************************************
./configureUiPathAS.sh additional-ca-certs
命令执行的操作。
此命令可帮助您更新或替换现有的已配置 CA 证书。
./configureUiPathAS.sh additional-ca-certs update --ca-cert-file /path/to/ca/certs
./configureUiPathAS.sh additional-ca-certs update --ca-cert-file /path/to/ca/certs
--replace
。
.pem
格式,并且可以包含多个证书。
要下载已配置的 CA 证书,请运行以下命令:
./configureUiPathAS.sh additional-ca-certs get --outpath /path/to/download/certs
./configureUiPathAS.sh additional-ca-certs get --outpath /path/to/download/certs
您负责确保生成的证书受信任。
要将证书添加到主机虚拟机信任存储区,请在集群中的所有节点上运行以下命令:
# 1. Copy the certificate file to the /usr/share/pki/ca-trust-source/anchors/ or the /etc/pki/ca-trust/source/anchors/ directory
cp /path/to/the/ca-cert /usr/share/pki/ca-trust-source/anchors/
# 2. Update the trust store configuration
update-ca-trust
# 1. Copy the certificate file to the /usr/share/pki/ca-trust-source/anchors/ or the /etc/pki/ca-trust/source/anchors/ directory
cp /path/to/the/ca-cert /usr/share/pki/ca-trust-source/anchors/
# 2. Update the trust store configuration
update-ca-trust
要查看有关身份令牌签名证书的更多信息,请运行以下命令:
sudo ./configureUiPathAS.sh identity token-cert --help
sudo ./configureUiPathAS.sh identity token-cert --help
输出:
************************************************************************************
Manage Identity token signing certificate
Usage:
configureUiPathAS.sh identity token-cert [command]
configureUiPathAS.sh identity token-cert [flags]
Available Commands:
update Update secondary certificate to signing
the authentication token
rotate Switch secondary certificate as a primary
token signing certificate
get Get token signing certificate
Flags:
-h|--help Display help
************************************************************************************
************************************************************************************
Manage Identity token signing certificate
Usage:
configureUiPathAS.sh identity token-cert [command]
configureUiPathAS.sh identity token-cert [flags]
Available Commands:
update Update secondary certificate to signing
the authentication token
rotate Switch secondary certificate as a primary
token signing certificate
get Get token signing certificate
Flags:
-h|--help Display help
************************************************************************************
./configureUiPathAS.sh identity token-cert
命令执行的操作。
要上传新证书以对令牌进行签名,请运行以下命令:
以下命令不会替换现有令牌签名证书。
.pem
格式。
sudo ./configureUiPathAS.sh identity token-cert update --cert-file-path /path/to/cert --cert-key-file-path /path/to/certkey
sudo ./configureUiPathAS.sh identity token-cert update --cert-file-path /path/to/cert --cert-key-file-path /path/to/certkey
要轮换旧证书或将其替换为新证书,请运行以下命令:
sudo ./configureUiPathAS.sh identity token-cert rotate
sudo ./configureUiPathAS.sh identity token-cert rotate
证书更新和轮换之间应有大约 24 到 48 小时的前置时间。
我们需要这个提前期来继续支持由旧证书签名的缓存令牌的身份验证。
如果在缓存令牌过期之前过早轮换证书可能会导致停机。您可能需要重新启动所有机器人。
默认情况下,RKE2 证书将在 12 个月后过期。在到期日期前的 90 天内,当您重新启动 RKE2 时,证书将轮换。
有关更多详细信息,请参阅 RKE2 - 高级选项 - 证书轮换。
# Directory path to check
if [[ -d "/var/lib/rancher/rke2/server/tls" ]];
then
dir="/var/lib/rancher/rke2/server/tls"
else
dir="/var/lib/rancher/rke2/agent/tls"
fi
# Loop through each .crt file in the directory
for file in "$dir"/*.crt;
# Extract the expiry date from the certificate
do
expiry=$(openssl x509 -enddate -noout -in "$file" | cut -d= -f 2-)
# Get the file name without the path
filename=$(basename "$file")
# Print the filename and expiry date in a pretty format
printf "%-30s %s\n" "$filename:" "$expiry"
done
# Directory path to check
if [[ -d "/var/lib/rancher/rke2/server/tls" ]];
then
dir="/var/lib/rancher/rke2/server/tls"
else
dir="/var/lib/rancher/rke2/agent/tls"
fi
# Loop through each .crt file in the directory
for file in "$dir"/*.crt;
# Extract the expiry date from the certificate
do
expiry=$(openssl x509 -enddate -noout -in "$file" | cut -d= -f 2-)
# Get the file name without the path
filename=$(basename "$file")
# Print the filename and expiry date in a pretty format
printf "%-30s %s\n" "$filename:" "$expiry"
done
获取的输出应类似于下图所示内容:
要轮换 RKE2 证书,您必须首先在服务器节点上执行一系列操作,然后在代理节点上继续执行一些步骤。
- 停止 RKE2 服务器:
systemctl stop rke2-server.service
systemctl stop rke2-server.service - 清除所有剩余的 RKE2 流程:
rke2-killall.sh
rke2-killall.sh - 删除位于
/var/lib/rancher/rke2/server/tls/
的dynamic-cert.json
文件。 - 重新启动 RKE2 服务器:
systemctl start rke2-server.service
systemctl start rke2-server.service注意:如果集群具有多个服务器节点,则可能无法完整执行步骤 1-4,因为 etcd 可能无法完成领导者选择。如果发生这种情况,请在其他服务器节点上重复步骤 1-4。 - 从
kube-system
命名空间中删除rke2-serving
密码:kubectl delete secret -n kube-system rke2-serving
kubectl delete secret -n kube-system rke2-serving备注:在多节点部署中,在必要数量的服务器节点上完成前四个操作之前,您可能无法运行kubectl
命令。这是为了满足 etcd 法定人数要求。您可以在 RKE2 服务器启动后立即删除rke2-serving
密码。
kubectl get nodes
命令。服务器节点准备就绪后,您可以前往代理节点重新生成证书。
在代理节点上执行以下步骤:
- 停止 RKE2 服务器:
systemctl stop rke2-agent.service
systemctl stop rke2-agent.service - 清除所有剩余的 RKE2 流程:
rke2-killall.sh
rke2-killall.sh - 重新启动 RKE2 服务器:
systemctl start rke2-agent.service
systemctl start rke2-agent.service