Renew or replace the self-managed HAProxy certificates

Renew or replace the self-managed HAProxy certificates

This section describes how to renew or replace the self-managed HAProxy certificates.

To renew or replace the self-managed HAProxy certificates:

  1. Log in to the Salt Master node.

  2. Verify the certificate validity date:

    for node in $(salt -C 'I@haproxy:proxy' test.ping --output yaml | cut -d':' -f1); do
      for name in $(salt ${node} pillar.get haproxy:proxy --output=json | jq '.. \
      | .listen? | .. | .ssl? | .pem_file?' | grep -v null | sort | uniq); do
        salt ${node} cmd.run "openssl x509 -in ${name} -text -noout | grep -Ei 'after|before'";
      done;
    done;
    

    Note

    In the command above, the pem_file value is used to specify the explicit certificate path.

    Example of system response:

    cid02.multinode-ha.int:
                    Not Before: May 25 15:32:17 2018 GMT
                    Not After : May 25 15:32:17 2019 GMT
    cid01.multinode-ha.int:
                    Not Before: May 25 15:29:17 2018 GMT
                    Not After : May 25 15:29:17 2019 GMT
    cid03.multinode-ha.int:
                    Not Before: May 25 15:21:17 2018 GMT
                    Not After : May 25 15:21:17 2019 GMT
    
  3. Open your project Git repository with Reclass model on the cluster level.

  4. For each class file with the HAProxy class enabled, update its pillar values with the following configuration as an example:

    parameters:
      _params:
        haproxy_proxy_ssl:
          enabled: true
          mode: secure
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            MIIJKAIBAAKCAgEAxSXLtYhzptxcAdnsNy2r8NkgskPm3J/l54hmhuSoL61LpEIi
            ...
            0z/c5yAddRpU/i6/TH2RlBaSGfmoNw/IuFfLsZI2O6dQo4e+QKX+V3JTeNY=
            -----END RSA PRIVATE KEY-----
          cert: |
            -----BEGIN CERTIFICATE-----
            MIIGEzCCA/ugAwIBAgIILX5kuGcAhw8wDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
            ...
            /in+Y5Wrl1uGHYeFe0yOdb1uxH+PLxc=
            -----END CERTIFICATE-----
          chain: |
            -----BEGIN RSA PRIVATE KEY-----
            MIIJKAIBAAKCAgEAxSXLtYhzptxcAdnsNy2r8NkgskPm3J/l54hmhuSoL61LpEIi
            ...
            0z/c5yAddRpU/i6/TH2RlBaSGfmoNw/IuFfLsZI2O6dQo4e+QKX+V3JTeNY=
            -----END RSA PRIVATE KEY-----
            -----BEGIN CERTIFICATE-----
            MIIGEzCCA/ugAwIBAgIILX5kuGcAhw8wDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
            ...
            /in+Y5Wrl1uGHYeFe0yOdb1uxH+PLxc=
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            MIIF0TCCA7mgAwIBAgIJAOkTQnjLz6rEMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
            ...
            M8IfJ5I=
            -----END CERTIFICATE-----
    

    Note

    Modify the example above by adding your certificates and key:

    • If you renew the certificates, leave your existing key and update the cert and chain sections.

    • If you replace the certificates, modify all three sections.

  5. Remove your current certificates from the HAProxy nodes:

    for node in $(salt -C 'I@haproxy:proxy' test.ping --output yaml | cut -d':' -f1); do
      for name in $(salt ${node} pillar.get haproxy:proxy --output=json | jq '.. \
      | .listen? | .. | .ssl? | .pem_file?' | grep -v null | sort | uniq); do
        salt ${node} cmd.run "rm -f ${name}";
      done;
    done;
    
  6. Apply the haproxy.proxy state on all HAProxy nodes one by one:

    salt -C 'I@haproxy:proxy' state.sls haproxy.proxy -b 1
    
  7. Verify the new certificate validity date:

    for node in $(salt -C 'I@haproxy:proxy' test.ping --output yaml | cut -d':' -f1); do
      for name in $(salt ${node} pillar.get haproxy:proxy --output=json | jq '.. \
      | .listen? | .. | .ssl? | .pem_file?' | grep -v null | sort | uniq); do
        salt ${node} cmd.run "openssl x509 -in ${name} -text -noout | grep -Ei 'after|before'";
      done;
    done;
    

    Example of system response:

    cid02.multinode-ha.int:
                    Not Before: May 25 15:29:17 2018 GMT
                    Not After : May 25 15:29:17 2019 GMT
    cid03.multinode-ha.int:
                    Not Before: May 25 15:29:17 2018 GMT
                    Not After : May 25 15:29:17 2019 GMT
    cid01.multinode-ha.int:
                    Not Before: May 25 15:29:17 2018 GMT
                    Not After : May 25 15:29:17 2019 GMT
    
  8. Restart the HAProxy services one by one and remove the VIP before restart:

    salt -C 'I@haproxy:proxy' cmd.run 'service keepalived stop; sleep 5; \
    service haproxy stop; service haproxy start; service keepalived start' -b 1