Renew or replace the NGINX certificates managed by salt-minion

Renew or replace the NGINX certificates managed by salt-minion

This section describes how to renew or replace the NGINX certificates managed by salt-minion.

To renew or replace the NGINX certificates managed by salt-minion:

  1. Complete the steps described in Verify the GlusterFS share salt_pki.

  2. Log in to the Salt Master node.

  3. Verify the certificate validity date:

    openssl x509 -in /srv/salt/pki/*/proxy.crt -text -noout | grep -Ei 'after|before'
    

    Example of system response:

    Not Before: May 30 17:21:10 2018 GMT
    Not After : May 30 17:21:10 2019 GMT
    
  4. Remove your current certificates from the Salt Master node.

    Note

    The following command also removes certificates from all proxy nodes as they use the same GlusterFS share.

    rm -f /srv/salt/pki/*/*.[pemcrt]*
    
  5. If you replace the certificates, remove the private key:

    rm -f /srv/salt/pki/*/proxy.key
    
  6. Renew or replace your certificates by applying the salt.minion state on all proxy nodes one by one:

    salt -C 'I@nginx:server:site:*:host:protocol:https' state.sls salt.minion.cert -b 1
    
  7. Apply the nginx state on all proxy nodes one by one:

    salt -C 'I@nginx:server:site:*:host:protocol:https' state.sls nginx -b 1
    
  8. Verify the new certificate validity date:

    openssl x509 -in /srv/salt/pki/*/proxy.crt -text -noout | grep -Ei 'after|before'
    

    Example of system response:

    Not Before: May 30 17:21:10 2018 GMT
    Not After : May 30 17:21:10 2019 GMT