This section describes how to renew the self-managed NGINX certificates.
To renew the self-managed NGINX certificates:
Complete the steps described in Verify the GlusterFS share salt_pki.
Open your project Git repository with the Reclass model on the cluster level.
Update the /openstack/proxy.yml
file with the following configuration
as an example:
parameters:
_params:
nginx_proxy_ssl:
enabled: true
mode: secure
key_file: /srv/salt/pki/${_param:cluster_name}/FQDN_PROXY_CERT.key
cert_file: /srv/salt/pki/${_param:cluster_name}/FQDN_PROXY_CERT.crt
chain_file: /srv/salt/pki/${_param:cluster_name}/FQDN_PROXY_CERT_CHAIN.crt
key: |
-----BEGIN PRIVATE KEY-----
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC3qXiZiugf6HlR
...
aXK0Fg1hJKu60Oh+E5H1d+ZVbP30xpdQ
-----END PRIVATE KEY-----
cert: |
-----BEGIN CERTIFICATE-----
MIIHDzCCBPegAwIBAgIDLYclMA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
...
lHfjP1c6iWAL0YEp1IMCeM01l4WWj0ymb7f4wgOzcULfwzU=
-----END CERTIFICATE-----
chain: |
-----BEGIN CERTIFICATE-----
MIIFgDCCA2igAwIBAgIDET0sMA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
...
UPwFzYIVkwy4ny+UJm9js8iynKro643mXty9vj5TdN1iK3ZA4f4/7kenuHtGBNur
WzUuf8H9dBW2DPtk5Jq/+QWtYMs=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGXzCCBEegAwIBAgIDEUB0MA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
...
/inxvBr89TvbCP2hweGMD6w1mKJU2SWEQwMs7P72dU7VuVqyyoutMWakJZ+xoGE9
YqQO
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIHDzCCBPegAwIBAgIDLYclMA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
...
lHfjP1c6iWAL0YEp1IMCeM01l4WWj0ymb7f4wgOzcULfwzU=
-----END CERTIFICATE-----
Note
Modify the example above by adding your certificates and key:
key
and
update the cert
and chain
sections.Note
The key
, cert
, and chain
sections are optional.
You can select from the following options:
/srv/salt/pki/**/
and add the key_file
, cert_file
, and chain_file
lines to /openstack/proxy.yml
.key
, cert
, and chain
sections
without the key_file
, cert_file
, and chain_file
lines to /openstack/proxy.yml
. The certificates are stored
under the /etc
directory as default paths in the Salt
formula./srv/salt/pki/**
as well.
This option requires manual upload of the certificates and key
files content to the .yml
files.Log in to the Salt Master node.
Verify the new certificate validity date:
openssl x509 -in /srv/salt/pki/*/proxy.crt -text -noout | grep -Ei 'after|before'
Example of system response:
Not Before: May 30 17:21:10 2018 GMT
Not After : May 30 17:21:10 2019 GMT
Remove the current certificates.
Note
The following command also removes certificates from all proxy nodes as they use the same GlusterFS share.
rm -f /srv/salt/pki/*/*.[pemcrt]*
If you replace the certificates, remove the private key:
/srv/salt/pki/*/proxy.key
Apply the nginx
state on all proxy nodes one by one:
salt -C 'I@nginx:server' state.sls nginx -b 1
Verify the new certificate validity date:
openssl x509 -in /srv/salt/pki/*/proxy.crt -text -noout | grep -Ei 'after|before'
Example of system response:
Not Before: May 30 17:21:10 2018 GMT
Not After : May 30 17:21:10 2019 GMT
Restart the NGINX services and remove the VIP before restart:
salt -C 'I@nginx:server' cmd.run 'service keepalived stop; sleep 5; \
service nginx restart; service keepalived start' -b 1