The security of livepatching depends not only on the signed kernel modules but also on the secure TLS channel between the livepatch client and the on-prem server. It is thus paramount to setup the necessary TLS keys and certificates for the on-prem service to provide the necessary security.
There are several ways to set up TLS for livepatch on-prem. One way is to use a dedicated TLS terminating reverse proxy in front of the haproxy service. Another way is to configure the appropriate TLS certificate and key on the haproxy instance directly.
Configuring TLS for haproxy
These are the steps to configure TLS on the haproxy service directly:
- Download the file
tls-overlay.yamlfrom the livepatch on-prem bundle page.
- Rename the certificate and key files to
key.pemand place them in the same directory as the downloaded overlay file.
- Run the following juju command
$ juju deploy cs:~livepatch-charmers/canonical-livepatch-on-prem-bundle --overlay ./tls-overlay.yaml
juju statusto verify that the haproxy service is now exposing port 443
Configuring livepatch admin tool with TLS
If the TLS certificate used for livepatch originates from a trusted CA, there should be no further configuration necessary - the livepatch admin tool will use the configured system certificates to verify the server’s responses.
If, however, a self-signed certificate is used, the administration tool will need to be configured to use the certificate. There are several ways to do that.
Command line option
The command line option for the livepatch admin tool accepts either the path to a certificate chain PEM file, or the contents of the certificate chain:
$ livepatch-admin --ca ./cert.pem login -a (...)
$ livepatch-admin --ca "$(cat ./cert.pem)" login -a (...)
The environment variable
LIVEPATCH_CA_CRT can be set with either the path to a certificate chain file or the contents of the certificate chain:
$ export LIVEPATCH_CA_CRT='/temp/cert.pem'
$ export LIVEPATCH_CA_CRT="$(cat ./cert.pem)"
Configuring livepatch client with TLS
If a self-signed certificate is used for the livepatch on-prem service, livepatch client instances will also need to be configured with that certificate to be able to verify responses coming from the on-prem server:
$ sudo canonical-livepatch config ca-certs=@stdin < ./cert.pem