Add guide how to renew a SSL certificate for fedora service
This renames making-ssl-certificates to ssl-certificates. Signed-off-by: Michal Konecny <mkonecny@redhat.com>
This commit is contained in:
Michal Konecny
parent
a06af07957
commit
503a288196
2 changed files with 26 additions and 3 deletions
76
modules/sysadmin_guide/pages/ssl-certificates.adoc
Normal file
76
modules/sysadmin_guide/pages/ssl-certificates.adoc
Normal file
|
|
@ -0,0 +1,76 @@
|
|||
= SSL Certificates SOP
|
||||
|
||||
Every now and then you will need to work with SSL certificate for a
|
||||
Fedora Service.
|
||||
|
||||
== Creating a CSR for a new server
|
||||
|
||||
Know your hostname, ie _lists.fedoraproject.org_:
|
||||
|
||||
....
|
||||
export ssl_name=<fqdn of host>
|
||||
....
|
||||
|
||||
Create the cert. 8192 does not work with various boxes so we use 4096
|
||||
currently.
|
||||
|
||||
....
|
||||
openssl genrsa -out ${ssl_name}.pem 4096
|
||||
openssl req -new -key ${ssl_name}.pem -out $(ssl_name}.csr
|
||||
|
||||
Country Name (2 letter code) [XX]:US
|
||||
State or Province Name (full name) []:NM
|
||||
Locality Name (eg, city) [Default City]:Raleigh
|
||||
Organization Name (eg, company) [Default Company Ltd]:Red Hat
|
||||
Organizational Unit Name (eg, section) []:Fedora Project
|
||||
Common Name (eg, your name or your server's hostname)
|
||||
[]:lists.fedorahosted.org
|
||||
Email Address []:admin@fedoraproject.org
|
||||
|
||||
Please enter the following 'extra' attributes
|
||||
to be sent with your certificate request
|
||||
A challenge password []:
|
||||
An optional company name []:
|
||||
....
|
||||
|
||||
send the CSR to the signing authority and wait for a cert. place all
|
||||
three into private directory so that you can make certs in the future.
|
||||
|
||||
== Creating a temporary self-signed certificate
|
||||
|
||||
Repeat the steps above but add in the following:
|
||||
|
||||
....
|
||||
openssl x509 -req -days 30 -in ${ssl_name}.csr -signkey ${ssl_name}.pem -out ${ssl_name}.cert
|
||||
Signature ok
|
||||
subject=/C=US/ST=NM/L=Raleigh/O=Red Hat/OU=Fedora
|
||||
Project/CN=lists.fedorahosted.org/emailAddress=admin@fedoraproject.org
|
||||
....
|
||||
|
||||
Getting Private key
|
||||
|
||||
We only want a self-signed certificate to be good for a short time so 30
|
||||
days sounds good.
|
||||
|
||||
== Renew a SSL certificate
|
||||
|
||||
To renew SSL certificate for existing service you can run ansible playbook from batcave:
|
||||
|
||||
....
|
||||
ansible-playbook /srv/web/infra/ansible/playbooks/groups/proxies.yml -t <name_of_service>
|
||||
....
|
||||
|
||||
For example
|
||||
....
|
||||
ansible-playbook /srv/web/infra/ansible/playbooks/groups/proxies.yml -t release-monitoring.org
|
||||
....
|
||||
|
||||
This will renew the certificates for the service and deploy them on proxies. If some proxies
|
||||
fail during the run, just run the playbook again with limiting it only to proxy that failed.
|
||||
For example if the previous example failed on `proxy01` you can run the playbook again like this:
|
||||
|
||||
....
|
||||
ansible-playbook /srv/web/infra/ansible/playbooks/groups/proxies.yml -t release-monitoring.org -l proxy01\*
|
||||
....
|
||||
|
||||
This will run the playbook only for `proxy01`.
|
||||
Loading…
Add table
Add a link
Reference in a new issue