Infrastructure/infra-docs-fpo
1
0
Fork 0
Code Issues 100 Pull requests 6 Projects Releases Packages Wiki Activity Actions

PDC: explain how to regenerate the SSL certificates.

Browse source 
This follows https://pagure.io/fedora-infrastructure/issue/11003

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
This commit is contained in:
Aurélien Bompard 2023-04-24 09:12:21 +02:00
parent 8c1d383a7f
commit 1f6e9b8cbd
No known key found for this signature in database
GPG key ID: 31584CFEB9BF64AD
1 changed files with 32 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

32
modules/sysadmin_guide/pages/pdc.adoc
View file

@ -151,3 +151,35 @@ sudo -u postgresql psql pdc pdc-
....
The user will now have privs with their normal tokens.
== Updating SAML2 certificates
As stated previously, the authentication uses SAML2 with _mod_auth_mellon_ (as the Service Provider on PDC's side) and Ipsilon (as the Identity Provider). This form of authentication relies on SSL certificates and XML metadata.
PDC's certificates live in the _ansible-private_ repository, in `files/saml2/pdc{,.stg}.fedoraproject.org/certificate.{pem,key}`. They are generated from the PKI in `files/saml2/ {staging,production}/`. The certificates can be self-signed as long as they are properly embedded in the metadata XML file and this file is distributed identically to PDC and to Ipsilon.
To renew the certificate, generate a new one with the provided script in the _ansible-private_ repo:
....
$ files/saml2/staging/build-key-server pdc.stg.fedoraproject.org
$ mv files/saml2/staging/keys/pdc.stg.fedoraproject.org.crt files/saml2/pdc.stg.fedoraproject.org/certificate.pem
$ mv files/saml2/staging/keys/pdc.stg.fedoraproject.org.key files/saml2/pdc.stg.fedoraproject.org/certificate.key
....
And for production:
....
$ files/saml2/production/build-key-server pdc.fedoraproject.org
$ mv files/saml2/production/keys/pdc.fedoraproject.org.crt files/saml2/pdc.fedoraproject.org/certificate.pem
$ mv files/saml2/production/keys/pdc.fedoraproject.org.key files/saml2/pdc.fedoraproject.org/certificate.key
....
And commit the changes:
....
$ git commit -a -s -m "PDC: new certificate"
$ git pull --rebase
$ git push
....
Then run the PDC and the Ipsilon playbooks. The PDC playbook will push the new certificates and re-generate the `metadata.xml` file in `/etc/httpd/saml2/`. The Ipsilon playbook will retrieve this `metadata.xml` file from the PDC server and insert it into the `/etc/ipsilon/root/configuration.conf` file.