Renew the self-managed NGINX certificates

Renew the self-managed NGINX certificates

This section describes how to renew the self-managed NGINX certificates.

To renew the self-managed NGINX certificates:

  1. Complete the steps described in Verify the GlusterFS share salt_pki.

  2. Open your project Git repository with the Reclass model on the cluster level.

  3. Update the /openstack/proxy.yml file with the following configuration as an example:

    parameters:
      _params:
        nginx_proxy_ssl:
          enabled: true
          mode: secure
          key_file:  /srv/salt/pki/${_param:cluster_name}/FQDN_PROXY_CERT.key
          cert_file: /srv/salt/pki/${_param:cluster_name}/FQDN_PROXY_CERT.crt
          chain_file: /srv/salt/pki/${_param:cluster_name}/FQDN_PROXY_CERT_CHAIN.crt
          key: |
            -----BEGIN PRIVATE KEY-----
            MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC3qXiZiugf6HlR
            ...
            aXK0Fg1hJKu60Oh+E5H1d+ZVbP30xpdQ
            -----END PRIVATE KEY-----
          cert: |
            -----BEGIN CERTIFICATE-----
            MIIHDzCCBPegAwIBAgIDLYclMA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
            ...
            lHfjP1c6iWAL0YEp1IMCeM01l4WWj0ymb7f4wgOzcULfwzU=
            -----END CERTIFICATE-----
          chain: |
            -----BEGIN CERTIFICATE-----
            MIIFgDCCA2igAwIBAgIDET0sMA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
            ...
            UPwFzYIVkwy4ny+UJm9js8iynKro643mXty9vj5TdN1iK3ZA4f4/7kenuHtGBNur
            WzUuf8H9dBW2DPtk5Jq/+QWtYMs=
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            MIIGXzCCBEegAwIBAgIDEUB0MA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
            ...
            /inxvBr89TvbCP2hweGMD6w1mKJU2SWEQwMs7P72dU7VuVqyyoutMWakJZ+xoGE9
            YqQO
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            MIIHDzCCBPegAwIBAgIDLYclMA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
            ...
            lHfjP1c6iWAL0YEp1IMCeM01l4WWj0ymb7f4wgOzcULfwzU=
            -----END CERTIFICATE-----
    

    Note

    Modify the example above by adding your certificates and key:

    • If you renew the certificates, leave your existing key and update the cert and chain sections.

    • If you replace the certificates, modify all three sections.

    Note

    The key, cert, and chain sections are optional. You can select from the following options:

    • Store certificates in the file system in /srv/salt/pki/**/ and add the key_file, cert_file, and chain_file lines to /openstack/proxy.yml.

    • Add only the key, cert, and chain sections without the key_file, cert_file, and chain_file lines to /openstack/proxy.yml. The certificates are stored under the /etc directory as default paths in the Salt formula.

    • Use all three sections, as in the example above. All content is available in pillar and is stored in /srv/salt/pki/** as well. This option requires manual upload of the certificates and key files content to the .yml files.

  4. Log in to the Salt Master node.

  5. Verify the new certificate validity date:

    openssl x509 -in /srv/salt/pki/*/proxy.crt -text -noout | grep -Ei 'after|before'
    

    Example of system response:

    Not Before: May 30 17:21:10 2018 GMT
    Not After : May 30 17:21:10 2019 GMT
    
  6. Remove the current certificates.

    Note

    The following command also removes certificates from all proxy nodes as they use the same GlusterFS share.

    rm -f /srv/salt/pki/*/*.[pemcrt]*
    
  7. If you replace the certificates, remove the private key:

    /srv/salt/pki/*/proxy.key
    
  8. Apply the nginx state on all proxy nodes one by one:

    salt -C 'I@nginx:server' state.sls nginx -b 1
    
  9. Verify the new certificate validity date:

    openssl x509 -in /srv/salt/pki/*/proxy.crt -text -noout | grep -Ei 'after|before'
    

    Example of system response:

    Not Before: May 30 17:21:10 2018 GMT
    Not After : May 30 17:21:10 2019 GMT
    
  10. Restart the NGINX services and remove the VIP before restart:

    salt -C 'I@nginx:server' cmd.run 'service keepalived stop; sleep 5; \
    service nginx restart; service keepalived start' -b 1