In the wake of recent concerns and debates raised around the Heartbleed bug, we wanted to update Severalnines ClusterControl users on any impact this bug might have on ClusterControl & associated databases and/or applications.


If your ClusterControl's web application has been accessible on the internet, then most likely you have also been exposed to the Heartbleed OpenSSL security bug, see: for more details. 

By default, our database deployment script enables SSL encryption for the Apache web server on the Controller host with a generated private SSL key and a self-signed certificate. SSL encryption is used between the UI and the Controller REST API if you have clusters added with HTTPS, which we do by default. The content that is encrypted (and which an attacker could potentially get access to via this bug) is primarily monitoring and ClusterControl application data.



Test your server for Heartbleed:

You should generate a new private key and certificate if you are concerned that your Controller server has been compromised and of course immediately upgrade the OpenSSL package for your distribution.

First create a self-signed certificate by following the instructions in this post:

Then, install the new private key and certificate by updating your Apache web server configuration and restart the web server.


Centos/RHEL distributions: Edit the /etc/httpd/conf.d/ssl.conf file

SSLCertificateFile /etc/pki/tls/certs/<your new cert>.crt
SSLCertificateKeyFile /etc/pki/tls/private/<your new key>.key 

Debian/Ubuntu distributions: Edit the /etc/apache2/sites-enabled/000-default-ssl file

SSLCertificateFile /etc/ssl/certs/<you new cert>.crt
SSLCertificateKeyFile /etc/ssl/private/<your new key>.key


If you’re not clear on some of these details or need additional help, please contact us here with a description of the type of help you need:

Related Post