From e2df5a8b47c945387554249cd61dca6d99114f56 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Mon, 25 Mar 2024 08:53:02 -0700 Subject: [PATCH] Add docs for linaro cloud cert renewal process These docs had lived on the server in question in a text file as they were sort of cobbled together from emails. Since then multiple renewals have been successfully performed so we may as well add the process to our actual documentation. Change-Id: I13267ad08c1e4ef6007e5cbea040c274ea2f27d5 --- doc/source/letsencrypt.rst | 47 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/doc/source/letsencrypt.rst b/doc/source/letsencrypt.rst index 48757475c2..7d95af177d 100644 --- a/doc/source/letsencrypt.rst +++ b/doc/source/letsencrypt.rst @@ -151,3 +151,50 @@ the next Ansible pulse to renew. # tail -f /var/log/acme.sh/acme.sh.log ... watch and should be renewed on next pulse # rm *.conf.old + +Linaro ARM64 Cloud Cert Renewal +=============================== + +The Linaro ARM64 cloud relies on Let's Encrypt certs for API endpoints, +but these certs are not automatically provisioned. The reason for this +is that cloud is not completely enrolled into our Ansible automation +(we share management of this install with Linaro and full integration +has not be done). We can manually refresh the SSL certs in this cloud +though. + +To access the cloud backend ssh via bridge as root to +``openinfraci.linaro.cloud``. + +First we provision a new certificate using acme.sh on the cloud node: + +.. code-block:: console + + /root/acme.sh/acme.sh --server letsencrypt --issue \ + --dns dns_aws -d openinfraci.linaro.cloud + +Next backup the old cert: + +.. code-block:: console + + cp /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem \ + /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem.$DATE + +Copy the new cert into the kolla-ansible secrets: + +.. code-block:: console + + cat /root/.acme.sh/openinfraci.linaro.cloud/openinfraci.linaro.cloud.key \ + /root/.acme.sh/openinfraci.linaro.cloud/fullchain.cer \ + > /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem + +Activate the kolla-ansible virtualenv to run ansible: + +.. code-block:: console + + source /root/venv3/bin/activate + +Run kolla-ansible to deploy the cert: + +.. code-block:: console + + /root/venv3/bin/kolla-ansible -i ~/all-in-one deploy