9.9 Replacing TLS/SSL Certificates

Sometimes certificates are not updated properly because they are outdated. To replace outdated certificates, execute the following procedure.

  1. Use SSH and log in on the administration node.

  2. Move the expired certs out of the way.

    root@admin # mv /etc/pki/{velum,ldap,salt-api}.crt /root
  3. Generate new certificates.

    root@admin # cd /etc/pki
    root@admin # /usr/share/caasp-container-manifests/gen-certs.sh

    HINT: Generating Additional Certificates

    To regenerate additional certificates, for example /etc/pki/kubectl-client-cert.crt, add an additional line at the end of the gen-certs.sh script:

    root@admin # transactional-update shell
    transactional update # echo "gencert \"kubectl-client-cert\" \"kubectl-client-cert\" \
        \"\$all_hostnames\" \"\$(ip_addresses)\"" >>/usr/share/caasp-container-manifests/gen-certs.sh
    transactional update # /usr/share/caasp-container-manifests/gen-certs.sh
    transactional update # exit
  4. Use SSH and log in on a master node.

  5. Backup and delete the dex-tls secret.

    root@master # kubectl -n kube-system get secret dex-tls -o yaml > /root/dex-tls
    root@master # kubectl -n kube-system delete secret dex-tls
  6. On a master node, find and delete the Dex pods.

    IMPORTANT: This Step Breaks Authentication

    Executing this step prevents new authentications requests from succeeding. However, the static credentials located on the master nodes will continue to function.

    The Dex pods will not restart by themselves until the dex-tls secret is recreated.

    root@master # kubectl -n kube-system get pods | grep dex
    root@master # kubectl -n kube-system delete pods DEX_POD1 DEX_POD2 DEX_POD3
  7. Manually run the salt orchestration on the administration node. This may take some time.

    root@admin # docker exec -it $(docker ps -q -f name="salt-master") \
        bash -c "salt-run state.orchestrate orch.kubernetes" 2&>1 > salt-run.log
  8. Check the tail of salt-run.log to see if the orchestration succeeded.

    root@admin # tail -n 50 salt-run.log
  9. On a master node, validate the dex pods are running.

    root@master # kubectl -n kube-system get pods | grep dex
  10. If you are not able to log in into Velum, reboot the administration node. Then test and validate that the cluster is still functional.