How to Renew Certificates for CSO Components
You can renew or view the certificates of CSO components by using the manage_certificate.sh script.
Actual output might vary from the sample output shown based on your deployment scenario.
-
Log in to the startupserver1 VM as root user.
-
Navigate to the CSO directory in the startupserver1 VM.
For example:
root@startupserver1:~/# cd Contrail_Service_Orchestration_6.2.0 root@host:~/Contrail_Service_Orchestration_6.2.0#
-
Run the manage_certificate.sh script to check the status or renew the certificates of the CSO components.
root@startupserver1:~/Contrail_Service_Orchestration_6.2.0# ./manage_certificate.sh ************************************************************ This tool assists you to renew CSO components certificate ************************************************************ Certificate renew sequence need to be followed: Kubernetes -> Haproxy -> Elasticsearch 0: List all certificate expiry date 1: Schedule cron for email notification Following component's certificate can be renewed 2: Haproxy, Nginx, Rsyslog 3: Telemetry Agent Select a option (In Number) :
Note:To check the options that you can use with the manage_certificate.sh script, enter
manage_certificate.sh -h
ormanage_certificate.sh --help
.root@startupserver1:~/Contrail_Service_Orchestration_6.2.0# ./manage_certificate.sh -h Usage: ./manage_certificate.sh -> to check/renew CSO components's certificate ./manage_certificate.sh [options] options: -c | --check to only check and list expiry dates of CSO components -n | --notify to list and send email notification with CSO components and its expiry dates --cron to schedule cron job -h | --help this help
-
You can choose to perform any of the following tasks:
-
To view the certificate expiry dates, see How to View the Certificate Expiry Dates.
-
To schedule a cron job, see How to Schedule a Cron Job.
-
To renew a component's certificate, see How to Renew a Certificate.
-
How to View the Certificate Expiry Dates
To list all the certificates and their expiry dates, type 0 at the prompt and press Enter. You can also view the same output by using ./manage_certificate.sh -c or ./manage_certificate.sh --check.
Select a option (In Number) : 0 INFO Fetching certificate details... +----------------+---------------------+----------------+-------------+ | Component Name | Expiry Date | Days to Expire | Status | +----------------+---------------------+----------------+-------------+ | Haproxy | 2022-08-24 09:58:20 | 240 | Not Expired | | Nginx | 2022-08-24 09:58:20 | 240 | Not Expired | | Rsyslog | 2022-08-24 09:58:20 | 240 | Not Expired | +----------------+---------------------+----------------+-------------+
How to Schedule a Cron Job
To schedule a cron job:
How to Renew a Certificate
You can renew a certificate only if its status is Expired or About to Expire.
You can renew only self-signed certificates. Third-party certificates cannot be renewed.
Following component's certificate can be renewed 2: Haproxy, Nginx, Rsyslog 3: Telemetry Agent Select a option (In Number) :
The system checks the status of the certificate:
- If the status is Expired or About to Expire, then the certificate
renewal process is initiated. After the certificate renewal, the
system performs a health check.Note:
When HA proxy certificate is renewed, the telemetry agent certificate for all devices provisioned on CSO is automatically renewed.
If HA proxy certificate is renewed and if the telemetry agent renewal cannot be completed due to a failure, then you can renew the telemetry agent certificate separately. Run the manage_certificate.sh script and provide the number corresponding to the Telemetry Agent (3 in the sample output) to renew the certificate.
- If the status is Not Expired, then the certificate is not renewed.
Sample output if the status of a certificate is Not Expired:
************************************************************ This tool assists you to renew CSO components certificate ************************************************************ Certificate renew sequence need to be followed: Kubernetes -> Haproxy -> Elasticsearch 0: List all certificate expiry date 1: Schedule cron for email notification Following component's certificate can be renewed 2: Haproxy, Nginx, Rsyslog 3: Telemetry Agent Select a option (In Number) : 2 INFO Started check and renew haproxy component's certificate at 2021-12-27 02:19:10.974535 ... INFO Checking haproxy certificate expiry date INFO Checking nginx certificate expiry date INFO Checking rsyslog certificate expiry date INFO Haproxy certificate is Not Expired INFO Nginx certificate is Not Expired INFO Rsyslog certificate is Not Expired INFO Certificate is not about to expire, So renewal is not required INFO Completed check and renew haproxy component's certificate at 2021-12-27 02:19:13.638765 . INFO Time taken to renew haproxy component's certificate : 0:00:02.664230