Renew or replace the RabbitMQ certificates managed by salt-minion

Renew or replace the RabbitMQ certificates managed by salt-minionΒΆ

This section describes how to renew or replace the RabbitMQ certificates managed by salt-minion.

To renew or replace the RabbitMQ certificates managed by salt-minion:

  1. Log in to the Salt Master node.

  2. Verify the certificates validity dates:

    salt -C 'I@rabbitmq:server' cmd.run 'openssl x509 \
    -in /etc/rabbitmq/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
    

    Example of system response:

    Not Before: Apr 27 12:37:14 2018 GMT
    Not After : Apr 27 12:37:14 2019 GMT
    Not Before: Apr 27 12:37:08 2018 GMT
    Not After : Apr 27 12:37:08 2019 GMT
    Not Before: Apr 27 12:37:13 2018 GMT
    Not After : Apr 27 12:37:13 2019 GMT
    
  3. Remove the certificates from the RabbitMQ nodes:

    salt -C 'I@rabbitmq:server' cmd.run 'rm -f /etc/rabbitmq/ssl/cert.pem'
    
  4. If you replace the certificates, remove the private key:

    salt -C 'I@rabbitmq:server' cmd.run 'rm -f /etc/rabbitmq/ssl/key.pem'
    
  5. Regenerate the certificates on the RabbitMQ nodes:

    salt -C 'I@rabbitmq:server' state.sls salt.minion.cert
    
  6. Verify that the certificates validity dates have changed:

    salt -C 'I@rabbitmq:server' cmd.run 'openssl x509 \
    -in /etc/rabbitmq/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
    

    Example of system response:

    Not Before: Jun  4 23:52:40 2018 GMT
    Not After : Jun  4 23:52:40 2019 GMT
    Not Before: Jun  4 23:52:41 2018 GMT
    Not After : Jun  4 23:52:41 2019 GMT
    Not Before: Jun  4 23:52:41 2018 GMT
    Not After : Jun  4 23:52:41 2019 GMT
    
  7. Restart the RabbitMQ services one by one:

    salt -C 'I@rabbitmq:server' cmd.run 'service rabbitmq-server stop; \
    service rabbitmq-server start' -b1
    
  8. Verify the RabbitMQ cluster status:

    salt -C 'I@rabbitmq:server' cmd.run 'rabbitmqctl cluster_status'
    

    Example of system response:

    msg03.multinode-ha.int:
        Cluster status of node rabbit@msg03
        [{nodes,[{disc,[rabbit@msg01,rabbit@msg02,rabbit@msg03]}]},
         {running_nodes,[rabbit@msg01,rabbit@msg02,rabbit@msg03]},
         {cluster_name,<<"openstack">>},
         {partitions,[]},
         {alarms,[{rabbit@msg01,[]},{rabbit@msg02,[]},{rabbit@msg03,[]}]}]
    msg01.multinode-ha.int:
        Cluster status of node rabbit@msg01
        [{nodes,[{disc,[rabbit@msg01,rabbit@msg02,rabbit@msg03]}]},
         {running_nodes,[rabbit@msg03,rabbit@msg02,rabbit@msg01]},
         {cluster_name,<<"openstack">>},
         {partitions,[]},
         {alarms,[{rabbit@msg03,[]},{rabbit@msg02,[]},{rabbit@msg01,[]}]}]
    msg02.multinode-ha.int:
        Cluster status of node rabbit@msg02
        [{nodes,[{disc,[rabbit@msg01,rabbit@msg02,rabbit@msg03]}]},
         {running_nodes,[rabbit@msg03,rabbit@msg01,rabbit@msg02]},
         {cluster_name,<<"openstack">>},
         {partitions,[]},
         {alarms,[{rabbit@msg03,[]},{rabbit@msg01,[]},{rabbit@msg02,[]}]}]