TLS: Self Signed
How to configure BindPlane OP with TLS using Step CLI for certificate generation.
Self Signed TLS with Step CLI
Step CLI can be used to create your own certificate authority and
server certificates. Step provides an easy to use interface. Alternatively, you could use OpenSSL.
This guide assumes you will be deploying BindPlane and it's agents to a network which has working
Domain Name System (DNS). It is expected that agent systems will be able to connect to bindplane
using it's fully qualified domain name (FQDN).
If you do not have working DNS, it is possible to use
/etc/hosts as a workaround. See this guide for details.
For this demonstration, we have four compute instances running on Google Cloud. The objective is to configure
BindPlane OP to use a server TLS certificate, and have all clients and collectors connect using TLS.
The following instances are deployed:
bindplane: Instance which hosts the BindPlane OP server.
collector-debian: Debian based instance which will host a BindPlane OP agent.
collector-centos: CentOS based instance which will host a BindPlane OP agent.
collector-windows: Windows Server instance which will host a BindPlane OP agent.
Each instance belongs to a VPC in the project
bindplane, which means each instance has a DNS name
with the following format:
Each instance has the following fully qualified domain name (FQDN):
All instances within the network can resolve each other using their FQDN. DNS plays a critical
role when using TLS, as it allows certificates to be verified against their hostname. If the hostname does not match
the certificate, the connection will be rejected unless steps are taken to disable TLS verification.
Deploy and Configure BindPlane
Follow the BindPlane OP Server Install Guide to install BindPlane OP.
Once installed, modify
/etc/bindplane/config.yaml to look like this:
# Listen on port 3001, all interfaces. host: 0.0.0.0 port: "3001" # Basic auth should use a username other than # admin along with a secure password. username: admin password: admin logFilePath: /var/log/bindplane/bindplane.log # Endpoint for which clients and collectors will interfact # with the server's http interface. serverURL: http://bindplane.c.bindplane.internal:3001 server: # Endpoint for which collectors will interact with the # server's web socket interface. remoteURL: ws://bindplane.c.bindplane.internal:3001 storageFilePath: /var/lib/bindplane/storage/bindplane.db # A random uuid which is used as a shared secret between bindplane and # deployed agents. secretKey: ffb26038-5169-4496-b5fc-d5a185c33b96 # A random uuid which is used for generating web ui session cookies. sessionsSecret: 14dab09e-0ca5-4167-bde3-39c869f3fab4
sessionsSecret should be random
uuid values. You can generate your own
server.remoteURL use the correct FQDN. You can check your server's FQDN using the
$ hostname -f bindplane.c.bindplane.internal
Once BindPlane is configured, restart the server.
sudo systemctl restart bindplane
Verify that BindPlane OP is working by connecting to the public IP address on port 3001. In this example, that would be
Create Certificates with Step
On the instance running your BindPlane OP server, install
step command line. Instructions
step can be found here.
Create Certificate Authority
The following commands will write a certificate and private key
tls-ca/ca.key in your working directory.
mkdir tls-ca step certificate create \ ca.c.bindplane.internal \ tls-ca/ca.crt tls-ca/ca.key \ --profile root-ca \ --no-password \ --insecure \ --not-after=8760h
Create BindPlane Server Certificate
The following commands will generate a server certificate signed by the CA previously
created. The certificate and private key will be written to
sudo mkdir /etc/bindplane/tls sudo step certificate create \ bindplane.c.bindplane.internal \ /etc/bindplane/tls/bindplane.crt /etc/bindplane/tls/bindplane.key \ --profile leaf \ --not-after 2160h \ --no-password \ --insecure \ --ca tls-ca/ca.crt \ --ca-key tls-ca/ca.key sudo chown -R bindplane:bindplane /etc/bindplane/tls
Configure BindPlane to use TLS
With the server certificate created, make the following changes to
Your configuration will look similar to this:
# Listen on port 3001, all interfaces. host: 0.0.0.0 port: "3001" # Basic auth should use a username other than # admin along with a secure password. username: admin password: admin logFilePath: /var/log/bindplane/bindplane.log # Endpoint for which clients and collectors will interfact # with the server's http interface. serverURL: https://bindplane.c.bindplane.internal:3001 server: # Endpoint for which collectors will interact with the # server's web socket interface. remoteURL: wss://bindplane.c.bindplane.internal:3001 storageFilePath: /var/lib/bindplane/storage/bindplane.db # A random uuid which is used as a shared secret between bindplane and # deployed agents. secretKey: ffb26038-5169-4496-b5fc-d5a185c33b96 # A random uuid which is used for generating web ui session cookies. sessionsSecret: 14dab09e-0ca5-4167-bde3-39c869f3fab tlsCert: /etc/bindplane/tls/bindplane.crt tlsKey: /etc/bindplane/tls/bindplane.key
With the configuration updated, restart BindPlane OP:
sudo systemctl restart bindplane
To verify that BindPlane OP is using TLS, navigate to your server's IP address using
https. For example,
You should expect your browser to present a warning screen. This is because your workstation does not trust the
certificate. This is expected because you have not imported the certificate authority into your trust store. At this
time, it is safe to skip the warning and continue. Note that this warning should never be ignored in production, or in areas where
it is not expected.
Import Certificate Authority on Collector Systems
On all instances which will be running a BindPlane OP agent, we need to import
the certificate authority. This will allow the collector software to trust the BindPlane
tls-ca/ca.crtto all systems which will be running a BindPlane agent
- Import the
ca.crtinto the trust store on all agent systems
- Install agents
For instructions on how to import a certificate authority, see this blog.
Once all agent systems have the certificate authority imported, you can install agents using the command
generated in the BindPlane OP web interface.
Example Linux install command:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/observiq-otel-collector/releases/download/v1.19.0/install_unix.sh)" install_unix.sh -e wss://bindplane.c.bindplane.internal:3001/v1/opamp -s ffb26038-5169-4496-b5fc-d5a185c33b96 -v 1.19.0
Note that the command uses the value from
/etc/bindplane/config.yaml as the endpoint that the agent
should connect to. The
wss protocol indicates that TLS should be used.
Once installed, the
manager configuration at
/opt/observiq-otel-collector/manager.yaml will look something like this:
endpoint: wss://bindplane.c.bindplane.internal:3001/v1/opamp secret_key: ffb26038-5169-4496-b5fc-d5a185c33b96 agent_id: 01GTHN3HAD7QXFN4Z9FV625A3V
Finished! Agents appear in the web interface, indicating that TLS is working.
Updated 27 days ago