From 1f6e9b8cbde7b3be441cec91f7a45dc2764dcbf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 24 Apr 2023 09:12:21 +0200 Subject: [PATCH] PDC: explain how to regenerate the SSL certificates. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This follows https://pagure.io/fedora-infrastructure/issue/11003 Signed-off-by: Aurélien Bompard --- modules/sysadmin_guide/pages/pdc.adoc | 32 +++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/modules/sysadmin_guide/pages/pdc.adoc b/modules/sysadmin_guide/pages/pdc.adoc index 130f1c7..2b3cd41 100644 --- a/modules/sysadmin_guide/pages/pdc.adoc +++ b/modules/sysadmin_guide/pages/pdc.adoc @@ -151,3 +151,35 @@ sudo -u postgresql psql pdc pdc- .... The user will now have privs with their normal tokens. + +== Updating SAML2 certificates + +As stated previously, the authentication uses SAML2 with _mod_auth_mellon_ (as the Service Provider on PDC's side) and Ipsilon (as the Identity Provider). This form of authentication relies on SSL certificates and XML metadata. + +PDC's certificates live in the _ansible-private_ repository, in `files/saml2/pdc{,.stg}.fedoraproject.org/certificate.{pem,key}`. They are generated from the PKI in `files/saml2/ {staging,production}/`. The certificates can be self-signed as long as they are properly embedded in the metadata XML file and this file is distributed identically to PDC and to Ipsilon. + +To renew the certificate, generate a new one with the provided script in the _ansible-private_ repo: + +.... +$ files/saml2/staging/build-key-server pdc.stg.fedoraproject.org +$ mv files/saml2/staging/keys/pdc.stg.fedoraproject.org.crt files/saml2/pdc.stg.fedoraproject.org/certificate.pem +$ mv files/saml2/staging/keys/pdc.stg.fedoraproject.org.key files/saml2/pdc.stg.fedoraproject.org/certificate.key +.... + +And for production: + +.... +$ files/saml2/production/build-key-server pdc.fedoraproject.org +$ mv files/saml2/production/keys/pdc.fedoraproject.org.crt files/saml2/pdc.fedoraproject.org/certificate.pem +$ mv files/saml2/production/keys/pdc.fedoraproject.org.key files/saml2/pdc.fedoraproject.org/certificate.key +.... + +And commit the changes: + +.... +$ git commit -a -s -m "PDC: new certificate" +$ git pull --rebase +$ git push +.... + +Then run the PDC and the Ipsilon playbooks. The PDC playbook will push the new certificates and re-generate the `metadata.xml` file in `/etc/httpd/saml2/`. The Ipsilon playbook will retrieve this `metadata.xml` file from the PDC server and insert it into the `/etc/ipsilon/root/configuration.conf` file.