Closed DanielFroehlich closed 1 year ago
Backuped old certs to certsOld2022 on stormshiftdeploy:
[root@stormshiftdeploy ~]# ll certsOld2022/
total 48
-rw-r--r--. 1 root root 4274 Mar 23 2021 redhat-pki-ca-chain.crt
-rw-r--r--. 1 root root 7156 Feb 9 2022 redhatIAM_caServerCertRequest.xml
-rw-r--r--. 1 root root 5657 Feb 11 2022 stormshift.crt
-rw-r--r--. 1 root root 5725 Feb 9 2022 stormshift.csr
-rw-------. 1 root root 3243 Feb 9 2022 stormshift.key
-rw-r--r--. 1 root root 9931 Feb 11 2022 stormshift_fullchain.crt
Generated new CSR: [root@stormshiftdeploy stormshift]# ansible-playbook -i cfg/inventory.yml -e @cfg/stormshift.yml -e @cfg/ocp1.yml 050_prepare_installhost.yml --tags cert
Submitted CSR to CA manually using Manual Server Certificate Enrollment (the ansible PKI command line tool seems to be broken)
Waited like 2 hours for CSR to be retrieved. Got notified via email, downloaded new cert via download link from email
Stored new base64 encoded cert under certs/stormshift.crt
Created full chain cert using[root@stormshiftdeploy certs]# cat stormshift.crt redhat-pki-ca-chain.crt >stormshift_fullchain.crt
Replace Cert on OpenShift Cluster using Ansible postinstall playbook and tag "certs":
[root@stormshiftdeploy stormshift]# ansible-playbook -i cfg/inventory.yml -e @cfg/stormshift.yml -e @cfg/ocp2.yml 360_ocp4_postinstall.yml --tags certs
For RHEV manager cert replacement, follow Instructions step 5 -10
Regarding stormshiftdeploy, nothing needs to be done unless the root CA changes. The root CA is located here: /root/.ovirt/ovirt-config.yaml
Need to renew the master cert used by all clusters and rhev:
The following certificate is going to expire (or has expired) on Sat Feb 04 11:56:18 UTC 2023 Serial number = 0x3c4c SubjectDN = CN=*.stormshift.coe.muc.redhat.com,OU=SolutionArchitectsDach,O=Red Hat