Unsigned Certificate Warning when Connecting to NetQ UI

Issue

When I try to connect to the NetQ UI to configure my on-premises setup, I get a warning from my browser that the certificate is untrusted.

Environment

• Cumulus NetQ 3.0.0 - 3.1.0

Resolution

The Cumulus NetQ UI ships with a self-signed certificate, which is why your browser issues a warning. You can avoid seeing this issue by installing your own signed certificate.

In order to use a custom certificate, you need the following:

• A valid X509 certificate.
• A private key file for the certificate.
• A DNS record name configured to access the NetQ UI. The FQDN should match the common name of the certificate. If you use a wild card in the common name — for example, if the common name of the certificate is *.example.com — then the NetQ telemetry server should reside on a subdomain of that domain, accessible via a URL like netq.example.com.
• Cumulus NetQ must be installed and running. You can verify this by running the netq show opta-health command.

To install a custom certificate:

1. Log in to the Cumulus NetQ telemetry server via SSH and copy your certificate and key file there.

2. Generate a Kubernetes secret called netq-gui-ingress-tls using following command:

   cumulus@netq-ts:~$ kubectl create secret tls netq-gui-ingress-tls \
       --namespace default \
       --key <name of your key file>.key \
       --cert <name of your cert file>.crt
   

3. Verify that the secret is created:

   cumulus@netq-ts:~$ kubectl get secret
   
   NAME                               TYPE                                  DATA   AGE
   netq-gui-ingress-tls               kubernetes.io/tls                     2      5s
   

4. Update the ingress rule file to install self signed certificates. Create a new file called ingress.yaml with following content. Make sure to replace <your hostname> with the FQDN of the NetQ server.

   apiVersion: extensions/v1beta1
   kind: Ingress
   metadata:
     annotations:
       kubernetes.io/ingress.class: "ingress-nginx"
       nginx.ingress.kubernetes.io/ssl-passthrough: "true"
       nginx.ingress.kubernetes.io/ssl-redirect: "true"
       nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
       nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600"
       nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
       nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
       nginx.ingress.kubernetes.io/proxy-body-size: 10g
       nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
     name: netq-gui-ingress-external
     namespace: default
   spec:
     rules:
     - host: <your hostname>
       http:
         paths:
         - backend:
             serviceName: netq-gui
             servicePort: 80
     tls:
     - hosts:
       - <your hostname>
       secretName: netq-gui-ingress-tls
   

5. Run the following command:

   cumulus@netq-ts:~$ kubectl apply -f ingress.yaml
   

   If your ingress rule is successfully configured, a message like the following appears:

   ingress.extensions/netq-gui-ingress-external configured
   

Your custom certificate should now be working. Verify it in the UI by visiting https://<your hostname> in your browser.