Last update:
Last verified version: AAC 4.4.6
Overview
This article explains how to recreate the TLS certificate used for communication between ASGARD Management Center (AMC) and ASGARD Analysis Cockpit (AAC) on Port 7443. It is intended for administrators who need to restore or renew this certificate - for example, after a hostname or domain change on the Cockpit server has caused certificate errors or broken connectivity between the two components.
An error message in AMC, caused by a missmatch between hostname of the certificate and the server, can look like:
context deadline exceeded: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is valid for old-hostname, not new-hostname"
This procedure addresses the internal AMC-to-AAC communication certificate only. It does not affect the separate certificate used for the AAC HTTPS web interface; its recreation is explained in the manual.
Important: This procedure should only be carried out after consulting Nextron support. Please contact support before proceeding.
Prerequisites
-
Root or sudo access on the ASGARD Analysis Cockpit server
-
The system must have a valid, fully qualified domain name (FQDN) configured
Expected Result
After completing the steps below, a new TLS certificate will be generated and signed using the existing local CA. The asgard-analysis-cockpit service will restart and resume normal operation with the updated certificate. Connectivity between AMC and AAC should be restored after a manual reconnect.
Steps to proceed
Step 1: Verify the system FQDN
Before proceeding, confirm that the system has a valid FQDN configured:
hostname --fqdn
The output should return a fully qualified domain name (e.g. cockpit.example.com). If the output is incomplete or incorrect, resolve the hostname configuration before continuing.
Step 2: Create the fix script
Create a new shell script file using nano:
nano fix-fqdn.sh
Insert the following content into the editor:
#!/bin/bash
export FQDN=$(hostname --fqdn)
sed "s/\$FQDN/${FQDN}/" /etc/asgard-analysis-cockpit/server_cert_ext.cnf.in > /etc/asgard-analysis-cockpit/server_cert_ext.cnf
openssl req -new -nodes -subj "/O=Nextron Systems GmbH/CN=${FQDN}" -key /etc/asgard-analysis-cockpit/cert.key -out /etc/asgard-analysis-cockpit/cert.csr
openssl x509 -req -in /etc/asgard-analysis-cockpit/cert.csr -CA /etc/asgard-analysis-cockpit/ca.pem -CAkey /etc/asgard-analysis-cockpit/ca.key -CAcreateserial -days 36500 -out /etc/asgard-analysis-cockpit/cert.pem -extfile /etc/asgard-analysis-cockpit/server_cert_ext.cnf
systemctl restart asgard-analysis-cockpit.service
Save and close the file. In nano, press CTRL + X, then confirm the changes by pressing Y and hitting Enter.
Step 3: Execute the script
Give the script execution permissions and run it:
chmod +x fix-fqdn.sh
sudo ./fix-fqdn.sh
Step 4: Re-establish connections
Once the service has restarted, the existing connections between AAC and AMC or the ASGARD Security center need to be re-established. Refer to the respective manual entries:
https://analysis-cockpit-manual.nextron-systems.com/en/latest/administration/amc.html
https://security-center-manual.nextron-systems.com/en/latest/first_steps/analysis_cockpit.html