Use your own certificates with Ubuntu Landscape

Spoiler: Ubuntu Landscape is a very practical tool for keeping your fleet of Ubuntu machines up to date. But if he used our certificates rather than his self-signed ones, that would be better. We will upload the certificates to the server, then modify the configuration files to take them into account.

en Cette page est également disponible en français.

We saw how to install and configure Ubuntu Landscape. Since then, we have been informed daily of the state of the machines and of the necessary updates and these operations only take a click of the mouse, it is as much time saved :smile:.

But the basic installation uses a self-signed certificate generated during installation. Our browsers therefore ask us questions to agree to connect to it, and since they forget everything as soon as we close them, it starts again each time. It’s so much wasted time 😢.

So as we like to tamper with the bowels, and claim to have hacked the system, by replacing the certificates with ours, we share our findings with you. Because that’s how we are.

KELLEPICS @ pixabay

Upload your certificate

As you are pros at creating certificates, I’m assuming you already have your two files available (the key in landscape.pem, the certificate inlandscape.crt and your authority in ca.crt).

As the interface does not allow this type of manipulation, we will transfer the files via ssh and the account you used during installation. These files should be copied to the following locations:

Modification of the configuration

Landscape uses apache2 on its Ubuntu database, so the configuration files are in /etc/apache2/site-available/landscape.conf. That we will therefore modify.

To populate our own files there, we’ll modify the SSL directives to use our files as follows:

SSLCertificateKeyFile   /etc/ssl/private/landscape.pem
SSLCertificateFile      /etc/ssl/certs/landscape.crt
SSLCertificateChainFile /etc/ssl/certs/ca.crt

And finally restart Apache.

sudo service apache2 restart

And after ?

We can access the administration interface in HTTPs, without the browser complaining about us for certificate issues. The authenticity of the connection is now certified by the browser.