This section describes how to renew or replace the Apache certificates
managed by salt-minion
.
Warning
If you replace or renew the Apache certificates after the Salt Master CA certificate has been replaced, make sure that both new and old CA certificates are published as described in Publish CA certificates.
To renew or replace the Apache certificates managed by salt-minion:
Log in to the Salt Master node.
Verify your current certificate validity date:
salt -C 'I@apache:server' cmd.run 'openssl x509 \
-in /etc/ssl/certs/internal_proxy.crt -text -noout | grep -Ei "after|before"'
Example of system response:
ctl02.multinode-ha.int:
Not Before: May 29 12:58:21 2018 GMT
Not After : May 29 12:58:21 2019 GMT
ctl03.multinode-ha.int:
Not Before: May 29 12:58:25 2018 GMT
Not After : May 29 12:58:25 2019 GMT
ctl01.multinode-ha.int:
Not Before: Apr 27 12:37:28 2018 GMT
Not After : Apr 27 12:37:28 2019 GMT
Remove your current certificates from the Apache nodes:
salt -C 'I@apache:server' cmd.run 'rm -f /etc/ssl/certs/internal_proxy.crt'
If you replace the certificates, remove the private key:
salt -C 'I@apache:server' cmd.run 'rm -f /etc/ssl/private/internal_proxy.key'
Renew or replace your certificates by applying the salt.minion.cert
state on all Apache nodes one by one:
salt -C 'I@apache:server' state.sls salt.minion.cert
Refresh the CA chain:
salt -C 'I@apache:server' cmd.run 'cat /etc/ssl/certs/internal_proxy.crt \
/usr/local/share/ca-certificates/ca-salt_master_ca.crt > \
/etc/ssl/certs/internal_proxy-with-chain.crt; \
chmod 0644 /etc/ssl/certs/internal_proxy-with-chain.crt; \
chown root:root /etc/ssl/certs/internal_proxy-with-chain.crt'
Verify the new certificate validity date:
salt -C 'I@apache:server' cmd.run 'openssl x509 \
-in /etc/ssl/certs/internal_proxy.crt -text -noout | grep -Ei "after|before"'
Example of system response:
ctl02.multinode-ha.int:
Not Before: Jun 6 17:24:09 2018 GMT
Not After : Jun 6 17:24:09 2019 GMT
ctl03.multinode-ha.int:
Not Before: Jun 6 17:24:42 2018 GMT
Not After : Jun 6 17:24:42 2019 GMT
ctl01.multinode-ha.int:
Not Before: Jun 6 17:23:38 2018 GMT
Not After : Jun 6 17:23:38 2019 GMT
Restart the Apache services one by one:
salt -C 'I@apache:server' cmd.run 'service apache2 stop; service apache2 start; sleep 60' -b1