master cert renewal - Githubissues

DanielFroehlich commented 1 year ago

Need to renew the master cert used by all clusters and rhev:

The following certificate is going to expire (or has expired) on Sat Feb 04 11:56:18 UTC 2023 Serial number = 0x3c4c SubjectDN = CN=*.stormshift.coe.muc.redhat.com,OU=SolutionArchitectsDach,O=Red Hat

[x] Request new cert from RHCA
[x] replace cert in RHEV
[x] replace cert on stormshift deploy (some ansible module use it somewhere iirc)
[x] replace cert on ocp1
[x] replace cert on ocp2
[x] replace cert on ocp3
[x] replace cert on ocp4
[x] replace cert on ocp5
[x] replace cert on ocp6
[x] replace cert on ocp7
[x] replace cert on ocp8
[x] replace cert on ocp9
[x] replace cert on ocp10
[x] replace cert on ocp11

DanielFroehlich commented 1 year ago

Backuped old certs to certsOld2022 on stormshiftdeploy:

[root@stormshiftdeploy ~]# ll certsOld2022/
total 48
-rw-r--r--. 1 root root 4274 Mar 23  2021 redhat-pki-ca-chain.crt
-rw-r--r--. 1 root root 7156 Feb  9  2022 redhatIAM_caServerCertRequest.xml
-rw-r--r--. 1 root root 5657 Feb 11  2022 stormshift.crt
-rw-r--r--. 1 root root 5725 Feb  9  2022 stormshift.csr
-rw-------. 1 root root 3243 Feb  9  2022 stormshift.key
-rw-r--r--. 1 root root 9931 Feb 11  2022 stormshift_fullchain.crt

Generated new CSR: [root@stormshiftdeploy stormshift]# ansible-playbook -i cfg/inventory.yml -e @cfg/stormshift.yml -e @cfg/ocp1.yml 050_prepare_installhost.yml --tags cert
Submitted CSR to CA manually using Manual Server Certificate Enrollment (the ansible PKI command line tool seems to be broken)
Waited like 2 hours for CSR to be retrieved. Got notified via email, downloaded new cert via download link from email
Stored new base64 encoded cert under certs/stormshift.crt
Created full chain cert using[root@stormshiftdeploy certs]# cat stormshift.crt redhat-pki-ca-chain.crt >stormshift_fullchain.crt

DanielFroehlich commented 1 year ago

Replace Cert on OpenShift Cluster using Ansible postinstall playbook and tag "certs": [root@stormshiftdeploy stormshift]# ansible-playbook -i cfg/inventory.yml -e @cfg/stormshift.yml -e @cfg/ocp2.yml 360_ocp4_postinstall.yml --tags certs

DanielFroehlich commented 1 year ago

For RHEV manager cert replacement, follow Instructions step 5 -10

DanielFroehlich commented 1 year ago

Regarding stormshiftdeploy, nothing needs to be done unless the root CA changes. The root CA is located here: /root/.ovirt/ovirt-config.yaml

stormshift / support

master cert renewal #120