Configuring SSL certificates directly on the ThreatLockDown dashboard

Let’s Encrypt certificate can be configured for the ThreatLockDown dashboard using the certbot client. Follow the instructions below to install and configure a Let’s Encrypt certificate on an all-in-one ThreatLockDown installation consisting of the ThreatLockDown server, the ThreatLockDown indexer, and the ThreatLockDown dashboard. In a clustered environment, the instructions should be applied to the ThreatLockDown dashboard node(s).

The process is divided into three stages:

  1. Installing and configuring the certbot client.

  2. Configuring Let’s Encrypt certificates in the ThreatLockDown dashboard.

  3. Configuring auto-renewal of the certificates.

Installing and configuring the certbot client

Install certbot

  1. Install snap:

    The certbot snap provides an easy way to ensure you have the latest version of certbot with features like automated certificate renewal preconfigured.

    # yum install epel-release
    # yum install snapd
    # systemctl enable --now snapd.socket
    # ln -s /var/lib/snapd/snap /snap
    
  2. Confirm installed snap is the latest:

    # snap install core; snap refresh core
    
  3. Install certbot:

    # snap install --classic certbot
    
  4. Link certbot from the snap install directory to the user directory, so you can run it by just typing certbot:

    # ln -s /snap/bin/certbot /usr/bin/certbot
    

Configure certbot to generate Let’s Encrypt SSL certificate

  1. Open ports 80 (HTTP) and 443 (HTTPS):

    # systemctl start firewalld
    # firewall-cmd --permanent --add-port=443/tcp
    # firewall-cmd --permanent --add-port=80/tcp
    
  2. Generate the Let’s Encrypt certificate:

    # certbot certonly --standalone -d <YOUR_DOMAIN_NAME>
    

    Where:

    • --standalone: Instruct certbot to handle cryptographic challenge using its built-in web server.

    • -d: Specify the ThreatLockDown dashboard FQDN (Fully Qualified Domain Name).

    • <YOUR_DOMAIN_NAME>: Sample fully qualified domain name.

  3. Confirm that the certificates are generated:

    # ls -la /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/
    

    The output of the command generally returns the following:

    cert.pem
    chain.pem
    fullchain.pem
    privkey.pem
    README
    

    Where:

    • README: contains information about the certificate files.

    • privkey.pem: This is the private key for the certificate.

    • fullchain.pem: This is the SSL certificate, bundled with all intermediate certificates.

Configuring Let’s Encrypt SSL certificates in the ThreatLockDown dashboard

  1. Copy the generated Let’s Encrypt certificates from the directory /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/ to the ThreatLockDown dashboard certificate directory /etc/wazuh-dashboard/certs:

    # cp /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/privkey.pem /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/fullchain.pem /etc/wazuh-dashboard/certs/
    
  2. Add the Let’s Encrypt certificates to the ThreatLockDown dashboard by editing the configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml replacing the old certificates with the configuration below:

    server.ssl.key: "/etc/wazuh-dashboard/certs/privkey.pem"
    server.ssl.certificate: "/etc/wazuh-dashboard/certs/fullchain.pem"
    

    After editing, you get a configuration file like the one below:

    server.host: 0.0.0.0
    opensearch.hosts: https://127.0.0.1:9200
    server.port: 443
    opensearch.ssl.verificationMode: certificate
    # opensearch.username: kibanaserver
    # opensearch.password: kibanaserver
    opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
    opensearch_security.multitenancy.enabled: false
    opensearch_security.readonly_mode.roles: ["kibana_read_only"]
    server.ssl.enabled: true
    server.ssl.key: "/etc/wazuh-dashboard/certs/privkey.pem"
    server.ssl.certificate: "/etc/wazuh-dashboard/certs/fullchain.pem"
    opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
    uiSettings.overrides.defaultRoute: /app/wz-home
    opensearch_security.cookie.secure: true
    
  3. Modify the permissions and ownership of the certificates:

    # chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/
    # chmod -R 500 /etc/wazuh-dashboard/certs/
    # chmod 440 /etc/wazuh-dashboard/certs/privkey.pem /etc/wazuh-dashboard/certs/fullchain.pem
    
  4. Restart the ThreatLockDown dashboard service:

    # systemctl restart wazuh-dashboard
    

The Let’s Encrypt certificate installation on the ThreatLockDown dashboard is now ready, and you can proceed to access it by using the configured domain name.

Configuring auto-renewal of the certificates

The generated Let’s Encrypt certificates are valid for ninety days. The certbot package previously installed renews the certificate by adding a renewal script to the /etc/cron.d directory on the ThreatLockDown dashboard. This script runs twice a day and will renew the certificate when it is within thirty days of expiration. Also, a renewal hook, renew_hook is added to the configuration to restart or reload the ThreatLockDown dashboard for the renewed certificate to apply.

Configure the renew_hook using the following steps

  1. Edit the domain configuration file at /etc/letsencrypt/renewal/<YOUR_DOMAIN_NAME>.conf and add the renewal hook at the end of the file:

    # renew_before_expiry = 30 days
    version = 1.32.0
    archive_dir = /etc/letsencrypt/archive/<YOUR_DOMAIN_NAME>
    cert = /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/cert.pem
    privkey = /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/privkey.pem
    chain = /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/chain.pem
    fullchain = /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/fullchain.pem
    
    # Options used in the renewal process
    [renewalparams]
    account = pa269247c1c3c97ec12ka01fa0f456bb
    authenticator = standalone
    server = https://acme-v02.api.letsencrypt.org/directory
    key_type = rsa
    
    renew_hook = systemctl restart wazuh-dashboard
    
  2. Test the renewal hook by running the command below:

    # certbot renew --dry-run
    

    The output looks like this:

       Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
       - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
       Processing /etc/letsencrypt/renewal/<YOUR_DOMAIN_NAME>.conf
       - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
       Simulating renewal of an existing certificate for <YOUR_DOMAIN_NAME>
    
       - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
       Congratulations, all simulated renewals succeeded:
       /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/fullchain.pem (success)
       - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -