DC3: Procedure/template to add private cert on ALB (instead of AWS CA cert) - requiring .NET keystore addition on orchestrator VM

aws-quickstart / quickstart-uipath-orchestrator

AWS Quick Start Team

Apache License 2.0

11 stars 14 forks source link

DC3: Procedure/template to add private cert on ALB (instead of AWS CA cert) - requiring .NET keystore addition on orchestrator VM #35

Open obriensystems opened 3 years ago

obriensystems commented 3 years ago

add uipath procedure to move private cert do this before

3 drives 2 and 4

ubikusss commented 3 years ago

Ok, the feature request is to give the option to provide the ARN for the private cert hosted in ACM at deploy time (via parameter)?

obriensystems commented 3 years ago

More than that I already added a parameter to pass in a private cert ARN that gets put on the ALB the issue is adding the private cert directly on the orch vm (vm or directly in orch .net app) in the keystore so that we can login to orch - will also need to put the cert in the keystore of the machine running robot

obriensystems commented 3 years ago

procedure: moving to private cert existing cert is on the ALB (not the TG

)

https://docs.uipath.com/orchestrator/docs/setting-orchestrator-to-use-a-private-key-certificate

get rdp going - one to the orch box, add ssm role, open security groups temp to 0.0.0.0/0 incoming, reboot, run normal ssm cli with instance id

obriensystems commented 3 years ago

getting the certificate exported from AWS 517 export region=us-west-2 518 aws acm export-certificate --certificate-arn arn:aws:acm:us-west-2:453279094200:certificate/59305329-b576-4e1f-9b31-065652912e5c --passphrase fileb://passphrase | jq -r '"(.Certificate)(.CertificateChain)(.PrivateKey)"' 520 aws acm list-certificates --region=us-west-2

biometric:~ michaelobrien$ aws acm export-certificate --certificate-arn arn:aws:acm:us-west-2:453279094200:certificate/59305329-b576-4e1f-9b31-065652912e5c --region=us-west-2 --passphrase fileb://passphrase | jq -r '"(.Certificate)(.CertificateChain)(.PrivateKey)"'

An error occurred (ValidationException) when calling the ExportCertificate operation: Certificate ARN: arn:aws:acm:us-west-2:453279094200:certificate/59305329-b576-4e1f-9b31-065652912e5c is not a private certificate

todo create a private one - forgot this one is AWS CA signed

obriensystems commented 3 years ago

each private CA is US400/month - first 30 days free for this demo https://aws.amazon.com/certificate-manager/pricing/ creating obrienlabs ca https://docs.uipath.com/installation-and-upgrade/docs/using-a-certificate-for-the-https-protocol

aws ssm start-session --target i-0247a7f6436907a96 --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=55678, portNumber=3389" --region us-west-2

machine dns for private cert

ip-10-0-41-75.us-west-2.compute.internal