Replace juju gui's ssl self signed cert

Having successfully deployed juju and setting up juju GUI, I logged into the web interface. I noticed that it’s using self-generated certs, I want to replace those with the ones I have from a valid CA.

I logged in to the controller but was not able to find any web server. So I ran lsof -i :17070 and found “jujud” but this doesn’t mean anything to me. So I’m asking, how do I update the ssl certs juju gui is using to my CA signed ones?
Thanks.

The easiest path is to put a http proxy in front of the Juju controller for the GUI access with the cert.

The issue you’re seeing is that all API communication with Juju is using a self-signed cert unless you use the bootstrap config to tell the controller to use a specified certificate. All of the units talking to the controller are using the self-signed one as well.

To roll out the new cert involves a bit of manual hackery-foo to make sure it’s updated everywhere, however, if you’re just looking to provide the GUI over SSL like that I’d suggest deploying haproxy or the like, with the CA cert and proxying to the controller API where the GUI is being served from.

As you noticed, the GUI is served via the same http server that provides the Juju controller API.

A few more quick questions, what is the process for when the current self-signed cert expires? What is the proper procedure for updating it? Is redeploying the juju controller on regular intervals the expected approach?

1 Like