Replace the self-managed Apache certificates

Replace the self-managed Apache certificatesΒΆ

This section describes how to replace the self-managed Apache certificates.

Warning

If you replace or renew the Apache certificates after the Salt Master CA certificate has been replaced, make sure that both new and old CA certificates are published as described in Publish CA certificates.

To replace the self-managed Apache certificates:

  1. Log in to the Salt Master node.

  2. Verify your current certificate validity date:

    for node in $(salt -C 'I@apache:server' test.ping --output yaml | cut -d':' -f1); do
      for name in $(salt ${node} pillar.get apache:server:site --output=json | \
      jq '.. | .host? | .name?' | grep -v null | sort | uniq); do
        salt ${node} cmd.run "openssl x509 -in /etc/ssl/certs/${name}.crt -text \
        -noout | grep -Ei 'after|before'";
      done;
    done;
    

    Example of system response:

    ctl02.multinode-ha.int:
                    Not Before: May 29 12:58:21 2018 GMT
                    Not After : May 29 12:58:21 2019 GMT
    ctl03.multinode-ha.int:
                    Not Before: May 29 12:58:25 2018 GMT
                    Not After : May 29 12:58:25 2019 GMT
    ctl01.multinode-ha.int:
                    Not Before: Apr 27 12:37:28 2018 GMT
                    Not After : Apr 27 12:37:28 2019 GMT
    
  3. Open your project Git repository with Reclass model on the cluster level.

  4. For each class file with the Apache server class enabled, update the _param:apache_proxy_ssl value with the following configuration as an example:

    parameters:
      _params:
        apache_proxy_ssl:
          enabled: true
          mode: secure
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            MIIJKAIBAAKCAgEAxSXLtYhzptxcAdnsNy2r8NkgskPm3J/l54hmhuSoL61LpEIi
            ...
            0z/c5yAddRpU/i6/TH2RlBaSGfmoNw/IuFfLsZI2O6dQo4e+QKX+V3JTeNY=
            -----END RSA PRIVATE KEY-----
          cert: |
            -----BEGIN CERTIFICATE-----
            MIIGEzCCA/ugAwIBAgIILX5kuGcAhw8wDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
            ...
            /in+Y5Wrl1uGHYeFe0yOdb1uxH+PLxc=
            -----END CERTIFICATE-----
          chain: |
            -----BEGIN RSA PRIVATE KEY-----
            MIIJKAIBAAKCAgEAxSXLtYhzptxcAdnsNy2r8NkgskPm3J/l54hmhuSoL61LpEIi
            ...
            0z/c5yAddRpU/i6/TH2RlBaSGfmoNw/IuFfLsZI2O6dQo4e+QKX+V3JTeNY=
            -----END RSA PRIVATE KEY-----
            -----BEGIN CERTIFICATE-----
            MIIGEzCCA/ugAwIBAgIILX5kuGcAhw8wDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
            ...
            /in+Y5Wrl1uGHYeFe0yOdb1uxH+PLxc=
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            MIIF0TCCA7mgAwIBAgIJAOkTQnjLz6rEMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
            ...
            M8IfJ5I=
            -----END CERTIFICATE-----
    

    Note

    Modify the example above by adding your certificates and key:

    • If you renew the certificates, leave your existing key and update the cert and chain sections.

    • If you replace the certificates, modify all three sections.

  5. Remove your current certificates from the Apache nodes:

    for node in $(salt -C 'I@apache:server' test.ping --output yaml | cut -d':' -f1); do
      for name in $(salt ${node} pillar.get apache:server:site --output=json | \
      jq '.. | .host? | .name?' | grep -v null | sort | uniq); do
        salt ${node} cmd.run "rm -f /etc/ssl/certs/${name}.crt";
      done;
    done;
    
  6. Apply the apache.server state on all Apache nodes one by one:

    salt -C 'I@apache:server' state.sls apache.server
    
  7. Verify the new certificate validity date:

    for node in $(salt -C 'I@apache:server' test.ping --output yaml | cut -d':' -f1); do
      for name in $(salt ${node} pillar.get apache:server:site --output=json | \
      jq '.. | .host? | .name?' | grep -v null | sort | uniq); do
        salt ${node} cmd.run "openssl x509 -in /etc/ssl/certs/${name}.crt -text \
        -noout | grep -Ei 'after|before'";
      done;
    done;
    

    Example of system response:

    ctl02.multinode-ha.int:
                    Not Before: Jun  6 17:24:09 2018 GMT
                    Not After : Jun  6 17:24:09 2019 GMT
    ctl03.multinode-ha.int:
                    Not Before: Jun  6 17:24:42 2018 GMT
                    Not After : Jun  6 17:24:42 2019 GMT
    ctl01.multinode-ha.int:
                    Not Before: Jun  6 17:23:38 2018 GMT
                    Not After : Jun  6 17:23:38 2019 GMT
    
  8. Restart the Apache services one by one:

    salt -C 'I@apache:server' cmd.run 'service apache2 stop; service apache2 start' -b 1