Add docs for linaro cloud cert renewal process

These docs had lived on the server in question in a text file as they
were sort of cobbled together from emails. Since then multiple renewals
have been successfully performed so we may as well add the process to
our actual documentation.

Change-Id: I13267ad08c1e4ef6007e5cbea040c274ea2f27d5
This commit is contained in:
Clark Boylan 2024-03-25 08:53:02 -07:00
parent 336a4ae440
commit e2df5a8b47

View File

@ -151,3 +151,50 @@ the next Ansible pulse to renew.
# tail -f /var/log/acme.sh/acme.sh.log # tail -f /var/log/acme.sh/acme.sh.log
... watch and should be renewed on next pulse ... watch and should be renewed on next pulse
# rm *.conf.old # rm *.conf.old
Linaro ARM64 Cloud Cert Renewal
===============================
The Linaro ARM64 cloud relies on Let's Encrypt certs for API endpoints,
but these certs are not automatically provisioned. The reason for this
is that cloud is not completely enrolled into our Ansible automation
(we share management of this install with Linaro and full integration
has not be done). We can manually refresh the SSL certs in this cloud
though.
To access the cloud backend ssh via bridge as root to
``openinfraci.linaro.cloud``.
First we provision a new certificate using acme.sh on the cloud node:
.. code-block:: console
/root/acme.sh/acme.sh --server letsencrypt --issue \
--dns dns_aws -d openinfraci.linaro.cloud
Next backup the old cert:
.. code-block:: console
cp /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem \
/root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem.$DATE
Copy the new cert into the kolla-ansible secrets:
.. code-block:: console
cat /root/.acme.sh/openinfraci.linaro.cloud/openinfraci.linaro.cloud.key \
/root/.acme.sh/openinfraci.linaro.cloud/fullchain.cer \
> /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem
Activate the kolla-ansible virtualenv to run ansible:
.. code-block:: console
source /root/venv3/bin/activate
Run kolla-ansible to deploy the cert:
.. code-block:: console
/root/venv3/bin/kolla-ansible -i ~/all-in-one deploy