First time posting after attending training and I am trying to apply training to our environment. Right now I have seat on the struggle bus. I am trying to sign the SSL cert with a CA that I installed.
1 I spun up an EC2 instance of Ubuntu and
2 Using OpenSSL installed and created the Certifcate Authority
3. After much googling and watching you tube I was able to sign the CSR and upload it to the groove
4. The Certificate shows that cert was signed by TendedBar Root CA and uploaded to the Epic properly but I still get an unsecured connection in my browser.
Image of cert screen below
I’ve reached out to the Opto team that has a lot more certificate experience.
But at a quick read I think the cert also needs to be put in your PC trusted store and the browser restarted.
ie, you have the private CA, the cert is in the EPIC, but it also needs to be in the browser so that all three ‘agree’ on the cert. As it is now, the browser does not have that private CA in its list to check.
So every PC that needs to connect to that EPIC will need your private cert added to its trust store.
Terry did some videos that will walk you through adding it to the PC trust store here:
Closing the loop on this one. I got this working but it it requited a few work arounds. For context we have approx 30 Grooves installed in on client networks in a self contained system. The self contained networks are not part of any domain and work indepently from each other. We need to establish secure API connectivity on both the internal network (eth0) and the Open VPN (tun0). Being a startup and having to watch budget closely, I opted to OPENSSL to create a wildcard certificate. If cost is not a factor I would strongly recommend purchasing a certificate from a trusted source. The openssl route works but it was not easiest solution.
The final step was getting the HTTPS:In node working in node red on both the internal and tunnel interfaces. The key pieces of information I needed to put together for this work was that because I was using an OPENSSL cert I needed to install the CA to the CA Trust store on the EPIC and I was using the the wrong API key for authentication. I needed to use the admin API Key not the Node Api Key.
Finally because I need FQDN to work both internally and externally as a temp fix I updated the local hosts file on the internal LAN so the epic is resolved properly. I am planning on installing BIND DNS on seperate Edge server long term.
Below is a drawing of how the communication works.
