[BUG] Replacing Dev Certificates.

[decyphertek-io]

Nginx doesnt load when certs are changed.

• Current Instructions are vague.
• DFIR IRIS Docs > Operations > Configurations > Certifications
• IRIS is configured to use a self-signed certificate by default. This is suitable for testing only. To use your own certificate, you need to
  set the following environment variables:
• KEY_FILENAME: The filename of the key file in the certificates/web_certificates directory at the root of the IRIS directory
• CERT_FILENAME: The filename of the certificate file in the certificates/web_certificates directory at the root of the IRIS directory

Steps taken to change nginx cert:

$ vim ~/iris-web/.env
# I changed the following
# -- NGINX
SERVER_NAME=decyphertek
KEY_FILENAME=iris_prod_key.pem
CERT_FILENAME=iris_prod_cert.pem

$ openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout /home/core/.docker/iris-web/certificates/web_certificates
  /iris_prod_key.pem -out /home/core/.docker/iris-web/certificates/web_certificates/iris_prod_crt.pem -subj "/C=US/ST=Any
 /L=Anytown/O=decyphertek-io/OU=adminotaur/CN=decyphertek"

Issue: it fails,- I realized that docker compose references the rootCA

volumes:
  - ./certificates/rootCA/irisRootCACert.pem:/etc/irisRootCACert.pem:ro

Issue: script changing the all the certs: ( nginx fails to load )

  #!/bin/bash

  # Delete existing Root CA files
  rm -rf /home/core/.docker/iris-web/certificates/rootCA/*.pem
  rm -rf /home/core/.docker/iris-web/certificates/rootCA/*.srl
  rm -rf /home/core/.docker/iris-web/certificates/web_certificates/*.pem

  # Define Root CA certificate and key file paths
  ROOT_CA_CERT_FILE="/home/core/.docker/iris-web/certificates/rootCA/irisRootCACert.pem"
  ROOT_CA_KEY_FILE="/home/core/.docker/iris-web/certificates/rootCA/irisRootCAKey.pem"

  # Generate a new private key for the Root CA
  openssl genpkey -algorithm RSA -out "${ROOT_CA_KEY_FILE}"

  # Generate a self-signed Root CA certificate
  openssl req -x509 -new -key "${ROOT_CA_KEY_FILE}" -out "${ROOT_CA_CERT_FILE}" -days 3650 -subj "/CN=RootCA"

  # Define server certificate and key file paths
  SERVER_CERT_FILE="/home/core/.docker/iris-web/certificates/web_certificates/iris_prod_cert.pem"
  SERVER_KEY_FILE="/home/core/.docker/iris-web/certificates/web_certificates/iris_prod_key.pem"
  SERVER_CSR_FILE="/home/core/.docker/iris-web/certificates/web_certificates/iris_prod_csr.pem"

  # Generate a new private key for the server
  openssl genpkey -algorithm RSA -out "${SERVER_KEY_FILE}"

  # Generate a CSR for the server
  openssl req -new -key "${SERVER_KEY_FILE}" -out "${SERVER_CSR_FILE}" -subj "/C=US/ST=Any/L=Anytown
 /O=decyphertek-io/OU=adminotaur/CN=decyphertek"

  # Root CA signs the server certificate
  openssl x509 -req -in "${SERVER_CSR_FILE}" -CA "${ROOT_CA_CERT_FILE}" -CAkey "${ROOT_CA_KEY_FILE}" 
 -CAcreateserial -out "${SERVER_CERT_FILE}" -days 3650

Solution:

• Provide better docs on how to update the nginx ssl certs.
• Remove the complexity of having to build the image everytime.
• I use nginx all the time and my implementation is simple and the above command works when key path added to default.conf

[LPT6166676c]

Is there any progress on this? I am struggling to change the certificates on my instance also.