This section describes how to replace the self-managed Apache certificates.
Warning
If you replace or renew the Apache certificates after the Salt Master CA certificate has been replaced, make sure that both new and old CA certificates are published as described in Publish CA certificates.
To replace the self-managed Apache certificates:
Log in to the Salt Master node.
Verify your current certificate validity date:
for node in $(salt -C 'I@apache:server' test.ping --output yaml | cut -d':' -f1); do
for name in $(salt ${node} pillar.get apache:server:site --output=json | \
jq '.. | .host? | .name?' | grep -v null | sort | uniq); do
salt ${node} cmd.run "openssl x509 -in /etc/ssl/certs/${name}.crt -text \
-noout | grep -Ei 'after|before'";
done;
done;
Example of system response:
ctl02.multinode-ha.int:
Not Before: May 29 12:58:21 2018 GMT
Not After : May 29 12:58:21 2019 GMT
ctl03.multinode-ha.int:
Not Before: May 29 12:58:25 2018 GMT
Not After : May 29 12:58:25 2019 GMT
ctl01.multinode-ha.int:
Not Before: Apr 27 12:37:28 2018 GMT
Not After : Apr 27 12:37:28 2019 GMT
Open your project Git repository with Reclass model on the cluster level.
For each class file with the Apache server class enabled,
update the _param:apache_proxy_ssl value
with the following configuration as an example:
parameters:
_params:
apache_proxy_ssl:
enabled: true
mode: secure
key: |
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAxSXLtYhzptxcAdnsNy2r8NkgskPm3J/l54hmhuSoL61LpEIi
...
0z/c5yAddRpU/i6/TH2RlBaSGfmoNw/IuFfLsZI2O6dQo4e+QKX+V3JTeNY=
-----END RSA PRIVATE KEY-----
cert: |
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIILX5kuGcAhw8wDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
...
/in+Y5Wrl1uGHYeFe0yOdb1uxH+PLxc=
-----END CERTIFICATE-----
chain: |
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAxSXLtYhzptxcAdnsNy2r8NkgskPm3J/l54hmhuSoL61LpEIi
...
0z/c5yAddRpU/i6/TH2RlBaSGfmoNw/IuFfLsZI2O6dQo4e+QKX+V3JTeNY=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIILX5kuGcAhw8wDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
...
/in+Y5Wrl1uGHYeFe0yOdb1uxH+PLxc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF0TCCA7mgAwIBAgIJAOkTQnjLz6rEMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
...
M8IfJ5I=
-----END CERTIFICATE-----
Note
Modify the example above by adding your certificates and key:
key and
update the cert and chain sections.Remove your current certificates from the Apache nodes:
for node in $(salt -C 'I@apache:server' test.ping --output yaml | cut -d':' -f1); do
for name in $(salt ${node} pillar.get apache:server:site --output=json | \
jq '.. | .host? | .name?' | grep -v null | sort | uniq); do
salt ${node} cmd.run "rm -f /etc/ssl/certs/${name}.crt";
done;
done;
Apply the apache.server state on all Apache nodes one by one:
salt -C 'I@apache:server' state.sls apache.server
Verify the new certificate validity date:
for node in $(salt -C 'I@apache:server' test.ping --output yaml | cut -d':' -f1); do
for name in $(salt ${node} pillar.get apache:server:site --output=json | \
jq '.. | .host? | .name?' | grep -v null | sort | uniq); do
salt ${node} cmd.run "openssl x509 -in /etc/ssl/certs/${name}.crt -text \
-noout | grep -Ei 'after|before'";
done;
done;
Example of system response:
ctl02.multinode-ha.int:
Not Before: Jun 6 17:24:09 2018 GMT
Not After : Jun 6 17:24:09 2019 GMT
ctl03.multinode-ha.int:
Not Before: Jun 6 17:24:42 2018 GMT
Not After : Jun 6 17:24:42 2019 GMT
ctl01.multinode-ha.int:
Not Before: Jun 6 17:23:38 2018 GMT
Not After : Jun 6 17:23:38 2019 GMT
Restart the Apache services one by one:
salt -C 'I@apache:server' cmd.run 'service apache2 stop; service apache2 start' -b 1