Renew or replace the HAProxy certificates managed by salt-minion

Renew or replace the HAProxy certificates managed by salt-minion

This section describes how to renew or replace the HAProxy certificates managed by salt-minion.

To renew or replace the HAProxy certificates managed by salt-minion:

  1. Log in to the Salt Master node.

  2. Obtain the list of the HAProxy minions IDs where the certificate should be replaced:

    salt -C 'I@haproxy:proxy:listen:*:binds:ssl:enabled:true' \
    pillar.get _nonexistent | cut -d':' -f1
    

    Example of system response:

    cid02.multinode-ha.int
    cid03.multinode-ha.int
    cid01.multinode-ha.int
    
  3. Verify the certificate validity date for each HAProxy minion listed in the output of the above command:

    for m in $(salt -C 'I@haproxy:proxy:listen:*:binds:ssl:enabled:true' \
    pillar.get _nonexistent | cut -d':' -f1); do for c in $(salt -C ${m} \
    pillar.get 'haproxy:proxy:listen' --out=txt | egrep -o "'pem_file': '\S+'" | \
    cut -d"'" -f4 | sort | uniq | tr '\n' ' '); do salt -C ${m} \
    cmd.run "openssl x509 -in ${c} -text | egrep -i 'after|before'"; done; done;
    

    Example of system response:

    cid02.multinode-ha.int:
                    Not Before: May 29 12:58:21 2018 GMT
                    Not After : May 29 12:58:21 2019 GMT
    
  4. Remove your current certificates from each HAProxy minion:

    for m in $(salt -C 'I@haproxy:proxy:listen:*:binds:ssl:enabled:true' \
    pillar.get _nonexistent | cut -d':' -f1); do for c in $(salt -C ${m} \
    pillar.get 'haproxy:proxy:listen' --out=txt | egrep -o "'pem_file': '\S+'" | cut -d"'" \
    -f4 | sort | uniq | sed s/-all.pem/.crt/ | tr '\n' ' '); \
    do salt -C ${m} cmd.run "rm -f ${c}"; done; done; \
    for m in $(salt -C 'I@haproxy:proxy:listen:*:binds:ssl:enabled:true' \
    pillar.get _nonexistent | cut -d':' -f1); do for c in $(salt -C ${m} \
    pillar.get 'haproxy:proxy:listen' --out=txt | egrep -o "'pem_file': '\S+'" | cut -d"'" \
    -f4 | sort | uniq | tr '\n' ' '); do salt -C ${m} cmd.run "rm -f ${c}"; done; done; \
    salt -C 'I@haproxy:proxy:listen:*:binds:ssl:enabled:true' \
    cmd.run 'rm -f /etc/haproxy/ssl/salt_master_ca-ca.crt'
    
  5. If you replace the certificates, remove the private key:

    for m in $(salt -C 'I@haproxy:proxy:listen:*:binds:ssl:enabled:true' \
    pillar.get _nonexistent | cut -d':' -f1); do for c in $(salt -C ${m} \
    pillar.get 'haproxy:proxy:listen' --out=txt | egrep -o "'pem_file': '\S+'" | cut -d"'" \
    -f4 | sort | uniq | sed s/-all.pem/.key/ | tr '\n' ' '); \
    do salt -C ${m} cmd.run "rm -f ${c}"; done; done;
    
  6. Apply the salt.minion.grains state for all HAProxy nodes to retrieve the CA certificate from Salt Master:

    salt -C 'I@haproxy:proxy:listen:*:binds:ssl:enabled:true' state.sls salt.minion.grains
    
  7. Apply the salt.minion.cert state for all HAProxy nodes:

    salt -C 'I@haproxy:proxy:listen:*:binds:ssl:enabled:true' state.sls salt.minion.cert
    
  8. Verify the new certificate validity date:

    for m in $(salt -C 'I@haproxy:proxy:listen:*:binds:ssl:enabled:true' \
    pillar.get _nonexistent | cut -d':' -f1); do for c in $(salt -C ${m} \
    pillar.get 'haproxy:proxy:listen' --out=txt | egrep -o "'pem_file': '\S+'" | cut -d"'" \
    -f4 | sort | uniq | tr '\n' ' '); do salt -C ${m} \
    cmd.run "openssl x509 -in ${c} -text | egrep -i 'after|before'"; done; done;
    

    Example of system response:

    cid02.multinode-ha.int:
                    Not Before: Jun  6 17:24:09 2018 GMT
                    Not After : Jun  6 17:24:09 2019 GMT
    
  9. Restart the HAProxy services on each HAProxy minion and remove the VIP before restart:

    salt -C 'I@haproxy:proxy:listen:*:binds:ssl:enabled:true' \
    cmd.run 'service keepalived stop; sleep 5; \
    service haproxy stop; service haproxy start; service keepalived start' -b 1