ECS V8: Update nxd certificates

Forum / NoMachine Cloud Server Products / ECS V8: Update nxd certificates

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #53602
    Steve92
    Participant

    Hi!

    I need to update nxd certificate on dozens of servers (ED, SBTS).

    Each certificate has to be copied from remote servers to ECS to avoid authentication warnings.

    How can I do that in a script after collecting all certificates of remote machines ?

    Where on ECS do I have to copy certificates from these remote machines ?

    Thanks,

    Regards,

    Steve.

     

    #53631
    Steve92
    Participant

    Hi!

    Remote nodes are on VLAN administred by local admins.

    They don’t have rights on ECS that has its own dedicated admin.

    I’ve analyzed the subject and if I well understand we could use –keyadd to register the public keys of nxd of remote nodes in

    /var/NX/nx/.nx/config/authorized.crt on ECS.

    * Local admin

    Each local admin generates new 4096-bit nxd certificate (nx_host_rsa_key) and its public key (nx_host_rsa_key.crt) for all nodes on his VLAN.

    A prefix is added to each key:

    cp /usr/NX/etc/keys/host/nx_host_rsa_key.crt <source_hostname>_nx_host_rsa_key.crt

    All the keys are sent to ECS admin.

    * ECS Admin

    For each pub key received :

    sudo /etc/NX/nxserver –keyadd <source_hostname>_nx_host_rsa_key.crt

    => this command updates /var/NX/nx/.nx/config/authorized.crt

     

    Q1- Please, could you validate my understanding and this procedure ?

    Q2- What about inverse mode connection if nxd certificate is changed on remote node ?

     

    Thanks,

    Regards,

    Steve.

     

    #53641
    fisherman
    Moderator

    Hi,

    If I understood your goal correctly, you’re looking to add a node to ECS without requiring password authentication. You can achieve this by following the steps below:

    To add a node to ECS
    #1. On the node
    scp $ECS_IP:/usr/NX/etc/keys/host/node.localhost.id_rsa.pub $ECS_IP_node.localhost.id_rsa.pub
    sudo /etc/NX/nxserver --keyadd $ECS_IP_node.localhost.id_rsa.pub

    #2. On ECS
    sudo /etc/NX/nxserver --nodeadd $NODE_IP --node-name $NODE_NAME

    To perform the reverse ( adding an inverse node to an ECS )

    Follow the same procedure, but switch the roles:
    – Run step #1 on the ECS
    – Run step #2 on the node

    Would you need help to make the script for this flow?

    #53655
    Steve92
    Participant

    Hi Fisherman,

    Thanks for this quick answer but it is not exactly what I’d want.

    Nodes are already added to ECS in “direct connection mode” or “inverse connection  mode”.

    For security reasons, keys have to be regenerated with 4096-bit instead of 2048-bit standard length.

    One part of the subject is the keys for the nxd certificates of the nodes.

    nxd certificates will be regenerated by local admin for all nodes of their VLAN (they don’t have admin rights on ECS).

    The nx_host_rsa_key.crt files will be sent to ECS admin and then what have he to do on ECS (or eslewhere) ?

    (a script is needed to handle many .crt files )

    When I check the last modification date of /var/NX/nx/.nx/config/authorized.crt ,

    it does not seem to be the right file (unchanged date).

    /var/NX/nx/.nx/config/cllient.crt

    seems to be the right file to put .crt of certificate from nxd of nodes.

    The .crt files will be sent to ECS admin and then what have he to do on ECS (or eslewhere) ?

    In short, how to handle nxd certificate change on nodes when nodes are administrated by different admins than ECS admin ?

    I hope it is more clear.

    Thanks,

    Regards,

    Steve.

    #53660
    fisherman
    Moderator

    To replace node certificates, please follow this article:
    https://kb.nomachine.com/DT07S00229#7

    LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen -k /usr/NX/etc/keys/node.localhost.id_rsa -p /usr/NX/etc/keys/node.localhost.id_rsa.pub -t rsa -n 4096

    And then, based on the direct or inverse node, do the same as mentioned in previous post:

    #1. On the node
    scp $ECS_IP:/usr/NX/etc/keys/host/node.localhost.id_rsa.pub $ECS_IP_node.localhost.id_rsa.pub
    sudo /etc/NX/nxserver --keyadd $ECS_IP_node.localhost.id_rsa.pub

    #2. On ECS
    sudo /etc/NX/nxserver --nodedit #NODE_NAME

    #53669
    Steve92
    Participant

    Hi,

    For the moment, my question is about the SSL certificate for nxd and not RSA key pair.

    I kwow the article you quote, but alas it is not precise about how to deal with change of SSL certificate for nxd. 🙁

    Hence my question : “In short, how to handle nxd certificate change on nodes when nodes are administrated by different admins than ECS admin ?”

    Regards,

    Steve.

    #53695
    Steve92
    Participant

    Hello,

    Any help would be greatly appreciated ! 😉

    Regards,

    Steve.

    #53812
    fisherman
    Moderator

    Hi,

    Apologize that I have missed your response.

    To clarify, there’s no need for the node administrators to manually copy or share SSL certificate files when the certificate for nxd is changed.

    As you mentioned (or I understood), the nodes are managed by different administrators who will generate new certificates

    After the new certificate is generated on the node, ECS Admin, instead of managing certificates manually, will run the following command:
    sudo /etc/NX/nxserver --nodeedit <NODE_NAME>

    This command connects to the node, detects the SSL certificate mismatch, and prompts whether to accept the new certificate. Once confirmed, the certificate is automatically updated. There is no need to exchange or distribute cert files manually.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Please login .