As of the most recent release (Release Release v1.13.2 - Breaking Changes - Beware! Minor Patch #2 · ITRS-Group/cordial · GitHub) the Linux workflow is simplified for decoupled Geneos installs:
NOTE the new command line flags - they have changed!
On the main server, you create TLS certs as usual, depending on the installation state, one of:
New install, with auto TLS install:
$ geneos init all -T -u download@example.com
or, add TLS to existing install:
$ geneos tls init
Then, once the local components are working, geneos ls has a Flags column that shows a T is TLS is configured and geneos tls ls shows the certs and the Valid column shows if they are validated and unexpired:
$ geneos ls gateway
Type Name Host Flags Port Version Home
gateway Demo Gateway localhost PAT 8100 active_prod:6.7.1 /home/peter/geneos/gateway/gateways/Demo Gateway
$ geneos tls ls gateway
Type Name Host Remaining Expires CommonName Valid
gateway Demo Gateway localhost 12823376 "2024-10-18T00:00:00Z" "geneos gateway Demo Gateway" true
Now export the signing bundle, which includes the signing certificate and private key as well as the root certificate for validation:
$ geneos tls export
geneos tls export
-----BEGIN CERTIFICATE-----
MIIBqjCCAU+gAwIBAgIJAPhl+lTS/JRzMAoGCCqGSM49BAMCMCIxIDAeBgNVBAMT
...
itLOXVVnfQMbqOshHqjVTWRIxHE2eIaMc8Taxq4UiI9Uw8J9FliPYzBK
-----END PRIVATE KEY-----
This can also be written to a file with the additional --output /path/to/file.pem flag
The private key should be protected as this is the “proof” that you represent the entity in the certificate. Don’t just leave this PEM file readable by anyone. When written to a file the permissions are set to only allow your user to access the contents.
Save or copy the PEM block or the resulting file somewhere accessible but confidential.
On the new server, install geneos from cordial and then:
$ geneos deploy netprobe -n NAME -u download@example.com -S -C -
Note that geneos deploy does the initialisation of the Geneos environment, and has been created to allow single command deployments. You do not need to run geneos init.
Follow the prompts and paste the PEM when prompted. Replace the -C - with -C /path/to/file.pem to read from a local file.
If the release archive is not directly accessible and has to be downloaded, then:
$ geneos deploy netprobe -n NAME -L -A /directory/of/releases -S -C -
To see what the flags mean tack on a -h after any command.
For my docker test environment it looks like this:
geneos@86ca8b6ddea6:~$ geneos deploy netprobe -L -A /releases -S -C -
Geneos Directory (default "/home/geneos"):
installed "geneos-netprobe-6.8.1-linux-x64.tar.gz" to "/home/geneos/geneos/packages/netprobe/6.8.1"
netprobe "active_prod" on localhost set to 6.8.1
Paste PEM formatted signing certificate(s), end with newline + CTRL-D:
-----BEGIN CERTIFICATE-----
MIIBqjCCAU+gAwIBAgIJAPhl+lTS/JRzMAoGCCqGSM49BAMCMCIxIDAeBgNVBAMT
F2dlbmVvcyByb290IGNlcnRpZmljYXRlMB4XDTIzMTAwMjE0Mjk1NFoXDTMzMTAw
...
itLOXVVnfQMbqOshHqjVTWRIxHE2eIaMc8Taxq4UiI9Uw8J9FliPYzBK
-----END PRIVATE KEY-----
geneos signing certificate written to /home/geneos/.config/geneos/geneos.pem
geneos signing certificate key written to /home/geneos/.config/geneos/geneos.key
geneos certificate chain written to /home/geneos/geneos/tls/geneos-chain.pem
certificate created for netprobe "86ca8b6ddea6" (expires 2025-05-22T14:05:29Z)
netprobe "86ca8b6ddea6" added, port 7036
netprobe "86ca8b6ddea6" started with PID 2
or
geneos@3d53a9951d43:~$ geneos deploy netprobe -L -A /releases -S -C /releases/signing.pem
Geneos Directory (default "/home/geneos"):
installed "geneos-netprobe-6.8.1-linux-x64.tar.gz" to "/home/geneos/geneos/packages/netprobe/6.8.1"
netprobe "active_prod" on localhost set to 6.8.1
geneos signing certificate written to /home/geneos/.config/geneos/geneos.pem
geneos signing certificate key written to /home/geneos/.config/geneos/geneos.key
geneos certificate chain written to /home/geneos/geneos/tls/geneos-chain.pem
certificate created for netprobe "3d53a9951d43" (expires 2025-05-22T14:17:14Z)
netprobe "3d53a9951d43" added, port 7036
netprobe "3d53a9951d43" started with PID 22
Other components like webserver are the same, but you only need to import the signing bundle once, so the next command can be:
$ geneos deploy webserver -n NAME -L -A /releases -S
And this will now “do the right thing” with webserver keystore and create a local cacerts file (required for trusting gateway connections) per instance. If you however need to install a real certificate in webserver you need to then import it explicitly:
$ geneos tls import webserver -c /releases/webserver.pem
webserver "NAME" certificate written
webserver "NAME" private key written
webserver "NAME" certificate chain written
Here webserver.pem is a concatenations of the real server certificate, the validation chain and the private key for the main cert.