Renew the self-managed NGINX certificates

Renew the self-managed NGINX certificates¶

This section describes how to renew the self-managed NGINX certificates.

To renew the self-managed NGINX certificates:

Complete the steps described in Verify the GlusterFS share salt_pki.
Open your project Git repository with the Reclass model on the cluster level.

Update the /openstack/proxy.yml file with the following configuration as an example:

parameters:
  _params:
    nginx_proxy_ssl:
      enabled: true
      mode: secure
      key_file:  /srv/salt/pki/${_param:cluster_name}/FQDN_PROXY_CERT.key
      cert_file: /srv/salt/pki/${_param:cluster_name}/FQDN_PROXY_CERT.crt
      chain_file: /srv/salt/pki/${_param:cluster_name}/FQDN_PROXY_CERT_CHAIN.crt
      key: |
        -----BEGIN PRIVATE KEY-----
        MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC3qXiZiugf6HlR
        ...
        aXK0Fg1hJKu60Oh+E5H1d+ZVbP30xpdQ
        -----END PRIVATE KEY-----
      cert: |
        -----BEGIN CERTIFICATE-----
        MIIHDzCCBPegAwIBAgIDLYclMA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
        ...
        lHfjP1c6iWAL0YEp1IMCeM01l4WWj0ymb7f4wgOzcULfwzU=
        -----END CERTIFICATE-----
      chain: |
        -----BEGIN CERTIFICATE-----
        MIIFgDCCA2igAwIBAgIDET0sMA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
        ...
        UPwFzYIVkwy4ny+UJm9js8iynKro643mXty9vj5TdN1iK3ZA4f4/7kenuHtGBNur
        WzUuf8H9dBW2DPtk5Jq/+QWtYMs=
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIIGXzCCBEegAwIBAgIDEUB0MA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
        ...
        /inxvBr89TvbCP2hweGMD6w1mKJU2SWEQwMs7P72dU7VuVqyyoutMWakJZ+xoGE9
        YqQO
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIIHDzCCBPegAwIBAgIDLYclMA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
        ...
        lHfjP1c6iWAL0YEp1IMCeM01l4WWj0ymb7f4wgOzcULfwzU=
        -----END CERTIFICATE-----

Note

Modify the example above by adding your certificates and key:

If you renew the certificates, leave your existing key and update the cert and chain sections.
If you replace the certificates, modify all three sections.

Note

The key, cert, and chain sections are optional. You can select from the following options:

Store certificates in the file system in /srv/salt/pki/**/ and add the key_file, cert_file, and chain_file lines to /openstack/proxy.yml.
Add only the key, cert, and chain sections without the key_file, cert_file, and chain_file lines to /openstack/proxy.yml. The certificates are stored under the /etc directory as default paths in the Salt formula.
Use all three sections, as in the example above. All content is available in pillar and is stored in /srv/salt/pki/** as well. This option requires manual upload of the certificates and key files content to the .yml files.

Verify the new certificate validity date:

openssl x509 -in /srv/salt/pki/*/proxy.crt -text -noout | grep -Ei 'after|before'

Example of system response:

Not Before: May 30 17:21:10 2018 GMT
Not After : May 30 17:21:10 2019 GMT

Remove the current certificates.

Note

The following command also removes certificates from all proxy nodes as they use the same GlusterFS share.
```
rm -f /srv/salt/pki/*/*.[pemcrt]*
```
If you replace the certificates, remove the private key:
```
/srv/salt/pki/*/proxy.key
```

Apply the nginx state on all proxy nodes one by one:

salt -C 'I@nginx:server' state.sls nginx -b 1

Verify the new certificate validity date:

openssl x509 -in /srv/salt/pki/*/proxy.crt -text -noout | grep -Ei 'after|before'

Example of system response:

Not Before: May 30 17:21:10 2018 GMT
Not After : May 30 17:21:10 2019 GMT

Restart the NGINX services and remove the VIP before restart:

salt -C 'I@nginx:server' cmd.run 'service keepalived stop; sleep 5; \
service nginx restart; service keepalived start' -b 1

updated: 2024-01-04 11:47

Renew or replace the NGINX certificates managed by salt-minion

View Previous Section

HAProxy certificates