503a288196
This renames making-ssl-certificates to ssl-certificates. Signed-off-by: Michal Konecny <mkonecny@redhat.com>
76 lines
2.3 KiB
Text
76 lines
2.3 KiB
Text
= SSL Certificates SOP
|
|
|
|
Every now and then you will need to work with SSL certificate for a
|
|
Fedora Service.
|
|
|
|
== Creating a CSR for a new server
|
|
|
|
Know your hostname, ie _lists.fedoraproject.org_:
|
|
|
|
....
|
|
export ssl_name=<fqdn of host>
|
|
....
|
|
|
|
Create the cert. 8192 does not work with various boxes so we use 4096
|
|
currently.
|
|
|
|
....
|
|
openssl genrsa -out ${ssl_name}.pem 4096
|
|
openssl req -new -key ${ssl_name}.pem -out $(ssl_name}.csr
|
|
|
|
Country Name (2 letter code) [XX]:US
|
|
State or Province Name (full name) []:NM
|
|
Locality Name (eg, city) [Default City]:Raleigh
|
|
Organization Name (eg, company) [Default Company Ltd]:Red Hat
|
|
Organizational Unit Name (eg, section) []:Fedora Project
|
|
Common Name (eg, your name or your server's hostname)
|
|
[]:lists.fedorahosted.org
|
|
Email Address []:admin@fedoraproject.org
|
|
|
|
Please enter the following 'extra' attributes
|
|
to be sent with your certificate request
|
|
A challenge password []:
|
|
An optional company name []:
|
|
....
|
|
|
|
send the CSR to the signing authority and wait for a cert. place all
|
|
three into private directory so that you can make certs in the future.
|
|
|
|
== Creating a temporary self-signed certificate
|
|
|
|
Repeat the steps above but add in the following:
|
|
|
|
....
|
|
openssl x509 -req -days 30 -in ${ssl_name}.csr -signkey ${ssl_name}.pem -out ${ssl_name}.cert
|
|
Signature ok
|
|
subject=/C=US/ST=NM/L=Raleigh/O=Red Hat/OU=Fedora
|
|
Project/CN=lists.fedorahosted.org/emailAddress=admin@fedoraproject.org
|
|
....
|
|
|
|
Getting Private key
|
|
|
|
We only want a self-signed certificate to be good for a short time so 30
|
|
days sounds good.
|
|
|
|
== Renew a SSL certificate
|
|
|
|
To renew SSL certificate for existing service you can run ansible playbook from batcave:
|
|
|
|
....
|
|
ansible-playbook /srv/web/infra/ansible/playbooks/groups/proxies.yml -t <name_of_service>
|
|
....
|
|
|
|
For example
|
|
....
|
|
ansible-playbook /srv/web/infra/ansible/playbooks/groups/proxies.yml -t release-monitoring.org
|
|
....
|
|
|
|
This will renew the certificates for the service and deploy them on proxies. If some proxies
|
|
fail during the run, just run the playbook again with limiting it only to proxy that failed.
|
|
For example if the previous example failed on `proxy01` you can run the playbook again like this:
|
|
|
|
....
|
|
ansible-playbook /srv/web/infra/ansible/playbooks/groups/proxies.yml -t release-monitoring.org -l proxy01\*
|
|
....
|
|
|
|
This will run the playbook only for `proxy01`.
|