This section describes how to renew or replace the self-managed HAProxy certificates.
To renew or replace the self-managed HAProxy certificates:
Log in to the Salt Master node.
Verify the certificate validity date:
for node in $(salt -C 'I@haproxy:proxy' test.ping --output yaml | cut -d':' -f1); do
for name in $(salt ${node} pillar.get haproxy:proxy --output=json | jq '.. \
| .listen? | .. | .ssl? | .pem_file?' | grep -v null | sort | uniq); do
salt ${node} cmd.run "openssl x509 -in ${name} -text -noout | grep -Ei 'after|before'";
done;
done;
Note
In the command above, the pem_file
value is used
to specify the explicit certificate path.
Example of system response:
cid02.multinode-ha.int:
Not Before: May 25 15:32:17 2018 GMT
Not After : May 25 15:32:17 2019 GMT
cid01.multinode-ha.int:
Not Before: May 25 15:29:17 2018 GMT
Not After : May 25 15:29:17 2019 GMT
cid03.multinode-ha.int:
Not Before: May 25 15:21:17 2018 GMT
Not After : May 25 15:21:17 2019 GMT
Open your project Git repository with Reclass model on the cluster level.
For each class file with the HAProxy class enabled, update its pillar values with the following configuration as an example:
parameters:
_params:
haproxy_proxy_ssl:
enabled: true
mode: secure
key: |
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAxSXLtYhzptxcAdnsNy2r8NkgskPm3J/l54hmhuSoL61LpEIi
...
0z/c5yAddRpU/i6/TH2RlBaSGfmoNw/IuFfLsZI2O6dQo4e+QKX+V3JTeNY=
-----END RSA PRIVATE KEY-----
cert: |
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIILX5kuGcAhw8wDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
...
/in+Y5Wrl1uGHYeFe0yOdb1uxH+PLxc=
-----END CERTIFICATE-----
chain: |
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAxSXLtYhzptxcAdnsNy2r8NkgskPm3J/l54hmhuSoL61LpEIi
...
0z/c5yAddRpU/i6/TH2RlBaSGfmoNw/IuFfLsZI2O6dQo4e+QKX+V3JTeNY=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIILX5kuGcAhw8wDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
...
/in+Y5Wrl1uGHYeFe0yOdb1uxH+PLxc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF0TCCA7mgAwIBAgIJAOkTQnjLz6rEMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
...
M8IfJ5I=
-----END CERTIFICATE-----
Note
Modify the example above by adding your certificates and key:
key
and
update the cert
and chain
sections.Remove your current certificates from the HAProxy nodes:
for node in $(salt -C 'I@haproxy:proxy' test.ping --output yaml | cut -d':' -f1); do
for name in $(salt ${node} pillar.get haproxy:proxy --output=json | jq '.. \
| .listen? | .. | .ssl? | .pem_file?' | grep -v null | sort | uniq); do
salt ${node} cmd.run "rm -f ${name}";
done;
done;
Apply the haproxy.proxy
state on all HAProxy nodes one by one:
salt -C 'I@haproxy:proxy' state.sls haproxy.proxy -b 1
Verify the new certificate validity date:
for node in $(salt -C 'I@haproxy:proxy' test.ping --output yaml | cut -d':' -f1); do
for name in $(salt ${node} pillar.get haproxy:proxy --output=json | jq '.. \
| .listen? | .. | .ssl? | .pem_file?' | grep -v null | sort | uniq); do
salt ${node} cmd.run "openssl x509 -in ${name} -text -noout | grep -Ei 'after|before'";
done;
done;
Example of system response:
cid02.multinode-ha.int:
Not Before: May 25 15:29:17 2018 GMT
Not After : May 25 15:29:17 2019 GMT
cid03.multinode-ha.int:
Not Before: May 25 15:29:17 2018 GMT
Not After : May 25 15:29:17 2019 GMT
cid01.multinode-ha.int:
Not Before: May 25 15:29:17 2018 GMT
Not After : May 25 15:29:17 2019 GMT
Restart the HAProxy services one by one and remove the VIP before restart:
salt -C 'I@haproxy:proxy' cmd.run 'service keepalived stop; sleep 5; \
service haproxy stop; service haproxy start; service keepalived start' -b 1