Renew or replace the Apache certificates managed by salt-minion

Renew or replace the Apache certificates managed by salt-minion

This section describes how to renew or replace the Apache certificates managed by salt-minion.

Warning

If you replace or renew the Apache certificates after the Salt Master CA certificate has been replaced, make sure that both new and old CA certificates are published as described in Publish CA certificates.

To renew or replace the Apache certificates managed by salt-minion:

  1. Log in to the Salt Master node.

  2. Verify your current certificate validity date:

    salt -C 'I@apache:server' cmd.run 'openssl x509 \
    -in /etc/ssl/certs/internal_proxy.crt -text -noout | grep -Ei "after|before"'
    

    Example of system response:

    ctl02.multinode-ha.int:
                    Not Before: May 29 12:58:21 2018 GMT
                    Not After : May 29 12:58:21 2019 GMT
    ctl03.multinode-ha.int:
                    Not Before: May 29 12:58:25 2018 GMT
                    Not After : May 29 12:58:25 2019 GMT
    ctl01.multinode-ha.int:
                    Not Before: Apr 27 12:37:28 2018 GMT
                    Not After : Apr 27 12:37:28 2019 GMT
    
  3. Remove your current certificates from the Apache nodes:

    salt -C 'I@apache:server' cmd.run 'rm -f /etc/ssl/certs/internal_proxy.crt'
    
  4. If you replace the certificates, remove the private key:

    salt -C 'I@apache:server' cmd.run 'rm -f /etc/ssl/private/internal_proxy.key'
    
  5. Renew or replace your certificates by applying the salt.minion.cert state on all Apache nodes one by one:

    salt -C 'I@apache:server' state.sls salt.minion.cert
    
  6. Refresh the CA chain:

    salt -C 'I@apache:server' cmd.run 'cat /etc/ssl/certs/internal_proxy.crt \
    /usr/local/share/ca-certificates/ca-salt_master_ca.crt > \
    /etc/ssl/certs/internal_proxy-with-chain.crt; \
    chmod 0644 /etc/ssl/certs/internal_proxy-with-chain.crt; \
    chown root:root /etc/ssl/certs/internal_proxy-with-chain.crt'
    
  7. Verify the new certificate validity date:

    salt -C 'I@apache:server' cmd.run 'openssl x509 \
    -in /etc/ssl/certs/internal_proxy.crt -text -noout | grep -Ei "after|before"'
    

    Example of system response:

    ctl02.multinode-ha.int:
                    Not Before: Jun  6 17:24:09 2018 GMT
                    Not After : Jun  6 17:24:09 2019 GMT
    ctl03.multinode-ha.int:
                    Not Before: Jun  6 17:24:42 2018 GMT
                    Not After : Jun  6 17:24:42 2019 GMT
    ctl01.multinode-ha.int:
                    Not Before: Jun  6 17:23:38 2018 GMT
                    Not After : Jun  6 17:23:38 2019 GMT
    
  8. Restart the Apache services one by one:

    salt -C 'I@apache:server' cmd.run 'service apache2 stop; service apache2 start; sleep 60' -b1