Renew TEST Certificate (mid April)

MCatherine1994 commented 6 months ago

Describe the task Our TEST certificate will expire on June 1st, 2024. Ticket for renew we done last year for PROD https://github.com/bcgov/nr-fom/issues/421. Since the Certbot is not working anymore, we might not get notification, created this ticket to remind us. We need to send service desk a ticket to renew the certificate, and write Derek a ticket to help us install the new one.

Acceptance Criteria

[x] create a service desk ticket
[x] pass the certificate to Derek
[ ] third

Additional context

Add any other context about the task here.
Or here

MCatherine1994 commented 5 months ago

service desk ticket created https://apps.nrs.gov.bc.ca/int/jira/servicedesk/customer/portal/1/SD-110002

MCatherine1994 commented 4 months ago

Quick summary of the process:

Run Derek's script to generate the CSR file
Create a service desk ticket, attach that CSR file
Wait service desk to send the new certificates
Copy the new certificates and private key into the existing routes config
Verify the certificates are updated

Detailed Documentation:

Create a certificate request file (CSR) Derek has a script to auto generate that: https://github.com/bcgov/quickstart-openshift-helpers/blob/main/cert-setup/csr_generator.sh To run the script:
- clone the repo git clone https://github.com/bcgov/quickstart-openshift-helpers.git
- go to the script directory cd cert-setup
- run the script sh csr_generator.sh and provide our domain fom-test.nrs.gov.bc.ca in the popup questions
  The script will generate two files: fom-test.nrs.gov.bc.ca.csr and fom-test.nrs.gov.bc.ca.key
Create a service desk ticket: https://apps.nrs.gov.bc.ca/int/jira/servicedesk/customer/portal/1, follow the template shown from the script, attach the CSR file to the service desk request, and keep the key file safe (don't share the key file with anyone)
Once service desk picked it up, they will create a ticket on their side to apply for the new certificate, we just need to wait for their response
Service desk will send the new certificate through the email, it should include two files fom-test.nrs.gov.bc.ca.txt and L1K Chain.txt
Rename the two files to fom-test.nrs.gov.bc.ca.cert and L1K_Chain.ca-cert. You will need the private key file as well (this was generated when you created the CSR file)
If this is the first time you get the certificate, please use Derek's script to install it to your Openshift namespace https://github.com/bcgov/quickstart-openshift-helpers/blob/main/cert-setup/install_cert.sh. Make sure you have the cert files and the key file in the same directory
- Login to the Openshift namespace through oc command
- Select your namespace oc project [namespace]
- Run the script sh install_cert.sh, and provide the domain fom-test.nrs.gov.bc.ca and service name (can be found in the namespace under Administration view -> Networking -> Services)
If this is for renewing certificate, we can either copy the new certificate to the existing routes or create a new route using oc command
- First option: Copy the new certificate and key
  - Go to your Openshift namespace, Administration view -> Networking -> Routes
  - Select the route that needs the certificate, and click "Edit Route"
  - Copy the fom-test.nrs.gov.bc.ca.cert to the Certificate section, fom-test.nrs.gov.bc.ca.key to the Key section, and L1K_Chain.ca-cert to the CA certificate section
  - Save the changes and verify the certificate is updated
  - Second option: Update certificate through oc command, make sure you have the cert files and the key file in the same directory
    - Backup your existing routes, you can download the yml files from Openshift namespace, Administration view -> Networking -> Routes -> YML
    - Remove your existing route from Openshift namespace
    - Login to the Openshift namespace through oc command
    - Select your namespace oc project [namespace]
    - Run the script sh install_cert.sh, and provide the domain fom-test.nrs.gov.bc.ca, service name fom-test-public and the path. Or you can also run this command directly, for example """ oc create route edge --service=fom-test-public --cert=fom-test.nrs.gov.bc.ca.cert --key=fom-test.nrs.gov.bc.ca.key --ca-cert=new_cert.ca-cert --hostname=fom-test.nrs.gov.bc.ca --path=/public fom-test-public """

Note: To run the script on Mac, comment out the lines where it has ${ACCEPT^}. It's just trying to check capital letter "Y", just type "y" for all the questions while running the script

MCatherine1994 commented 4 months ago

Timeline for FOM TEST certificate renew 2024:

Created the service desk ticket on Apr 29, 2024
Submitted the certificate request file (CSR) on May 7, 2024 (this one should be done when created the ticket, but because this is the first time we went through the new process, missed it at the beginning)
Service desk created new certificate request on their side REQ0512972 on May 8, 2024 (Michelle needs to approve the certificate request as well)
OCIO service desk reached out to request the CSR file on May 16, 2024, sent the CSR file to them
Got the new certificate on May 16, 2024. Got from CITZ Identity Management Solutions CITZ:EX IMS@gov.bc.ca in the email, it includes two files: fom-test.nrs.gov.bc.ca.txt and L1K Chain.txt
Copy the new certificate and the key file into fom-test-api and fom-test-admin routes, got certificate updated correctly
Also tested with Derek, removed the previous fom-test-public route, and created a new fom-test-public route from oc command with the new certificate, also got certificate updated correctly, both way works

MCatherine1994 commented 4 months ago

Got email from CITZ Identity Management Solutions CITZ:EX IMS@gov.bc.ca, send them the CSR file again.

MCatherine1994 commented 4 months ago

FOM TEST certificate is renewed for our Api, Public and Admin site:

MCatherine1994 commented 4 months ago

Removed the certbot cronjob from Openshift FOM TEST namespace as it's not working anymore.

bcgov / nr-fom

Renew TEST Certificate (mid April) #608