This section provides the instruction on how to replace the Salt Master CA certificates.
To replace the Salt Master CA certificates:
Log in to the Salt Master node.
Back up the running Salt configuration in case the rollback is required:
tar cf /root/salt-backup.tar /etc/salt /etc/pki/ca/salt_master_ca/
gzip -9 /root/salt-backup.tar
List all currently issued certificates.
Currently, the index file for Salt Master CA does not exist. Therefore,
you can list all certificates and find the latest ones using the
salt_cert_list.py
script:
Note
The script is available within Mirantis from the mcp-common-scripts GitHub repository.
./salt_cert_list.py
Example of system response:
/etc/pki/ca/salt_master_ca/certs/18:63:9E:A6:F3:7E:10:5F.crt (proxy, 10.20.30.10, horizon.multinode-ha.int)
/etc/pki/ca/salt_master_ca/certs/EB:51:7C:DF:CE:E7:90:52.crt (10.20.30.10, 10.20.30.10, *.10.20.30.10)
/etc/pki/ca/salt_master_ca/certs/15:DF:66:5C:8D:8B:CF:73.crt (internal_proxy, mdb01, mdb01.multinode-ha.int, 192.168.2.116, 192.168.2.115, 10.20.30.10)
/etc/pki/ca/salt_master_ca/certs/04:30:B0:7E:76:98:5C:CC.crt (rabbitmq_server, msg01, msg01.multinode-ha.int)
/etc/pki/ca/salt_master_ca/certs/26:16:E7:51:E4:44:B4:65.crt (mysql_server, 192.168.2.53, 192.168.2.50, dbs03, dbs03.multinode-ha.int)
/etc/pki/ca/salt_master_ca/certs/78:26:2F:6E:2E:FD:6A:42.crt (internal_proxy, ctl02, 192.168.2.12, 10.20.30.10, 192.168.2.10)
...
Update classes/cluster/<cluster_name>/infra/config.yml
with the required
values for the Salt Master CA. For example:
parameters:
_param:
salt_minion_ca_country: us
salt_minion_ca_locality: New York
salt_minion_ca_organization: Planet Express
salt_minion_ca_days_valid_authority: 3650
salt_minion_ca_days_valid_certificate: 365
Replace the Salt Master CA certificates:
rm -f /etc/pki/ca/salt_master_ca/ca*
salt-call state.sls salt.minion.ca -l debug
Publish the Salt Master CA certificates as described in Publish CA certificates.
Replace the certificates in your cloud environment according to the list of certificates obtained in the step 3 of this procedure as described in Manage certificates for the affected services.