genicm expired

46 views
Skip to first unread message

Pieter Becue

unread,
Nov 7, 2018, 9:10:58 AM11/7/18
to emulab-admins
Hi all,

tonight our genicm.pem certificate expired on our Wilab2 testbed:

[root@boss /usr/testbed/etc]#  openssl x509 -in /usr/testbed/etc/genicm.pem
-text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1019 (0x3fb)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=BE, ST=OV, L=Ghent, O=iMinds - ilab.t, OU=Certificate
Authority, CN=
boss.wilab2.ilabt.iminds.be/emailAddress=vwall-ops@atlantis.ugent.be
        Validity
            Not Before: May 16 23:51:03 2013 GMT
            Not After : *Nov  7 00:51:03 2018 GMT*

Do you have any suggestions for the renewal process ?

(we are still running on quite an old build, so updating will probably
result in some headaches :-))

PROD - [pbe...@boss.wilab2.ilabt.iminds.be ~]$ testbed-version
aggregates_pushed:   1403
buildinfo:           05/08/2017
commithash:          d02863246ce1a791c24a3c3223150dd872ef335e
dbrev:               4.578
install:             5.47
needreboot:          0
protogeni_reregister: 0
OS Version:          FreeBSD 8.3-RELEASE-p3
Perl Version:        5.012004

Thanks,
Pieter

Hussamuddin Nasir

unread,
Nov 7, 2018, 9:35:52 AM11/7/18
to emulab...@googlegroups.com, Pieter Becue

You probably want to update your testbed first. Then follow these instructions. (the location of your source and obj may differ since these instructions are for a genirack.)

These are instructions for regenerating the certificates. You
typically want to do this before the old certs expire. :-)

First off, find an object tree. On a Geni rack, the best place
is ~elabman/emulab-devel/obj.

Typically, you want to reuse the old keys so that existing certs are still
valid. But if you have let the CA expire, well then it does not matter, all
existing certs are invalid. But anyway:

    boss> sudo testbed-control shutdown
    boss> cd ssl
    boss> sudo gmake recover-keys
    boss> gmake remote-site
    boss> sudo gmake remote-site-boss-install
    boss> sudo scp /usr/testbed/etc/emulab.pem ops:/usr/testbed/etc
    boss> sudo scp /usr/testbed/etc/ctrlnode.pem ops:/usr/testbed/etc
    boss> sudo scp /usr/testbed/etc/emulab.pem ops:/etc/emulab/
    boss> sudo scp /usr/testbed/etc/ctrlnode.pem ops:/etc/emulab/client.pem

If you do NOT have a real web certificate (issued by a real authority) on
boss, you need to install a new apache certificate.

    boss> sudo gmake apache-install

You need to update the MFSs so that they have the new certificates.

    boss> sudo localize_mfs /tftpboot/freebsd
    boss> sudo localize_mfs /tftpboot/frisbee

If you have PROTOGENI defined in the defs file, you need to regen those
certificates too. First tell Utah since we have to remove you from the
current bundle before you can send in a new one. Then:

    boss> sudo rm /usr/testbed/etc/.protogeni_federated
    boss> sudo rm /usr/testbed/etc/.federated
    boss> sudo /usr/testbed/sbin/protogeni/initcerts -r -k

Now you can restart apache and the testbed:

    boss> sudo /usr/local/etc/rc.d/apache22 stop
    boss> sudo /usr/local/etc/rc.d/apache22 start
    boss> sudo testbed-control boot
    boss> sudo reregister
    boss> register_resources -f -r

And then tell Utah that your part is done, so we can add the new cert back
into bundle. Once we respond:

    boss> sudo /usr/testbed/sbin/protogeni/getcacerts

And you should be good to go!

-- 
cheers,

Hussam
(Hussamuddin Nasir)

Netlab Operations Team

-------------------------------------------------------------------
Laboratory for Adv. Networking  Phone  : (859)218-0059
James F Hardymon Building       Fax    : (859)323-3740
301 Rose Street, Rm 237         E-mail : na...@netlab.uky.edu
Lexington, KY 40506-0495        Web    : http://www.netlab.uky.edu

                        University of Kentucky
                        **********************
------------------------------------------------------------------- 
--
You received this message because you are subscribed to the Google Groups "emulab-admins" group.
To unsubscribe from this group and stop receiving emails from it, send an email to emulab-admin...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Leigh Stoller

unread,
Nov 7, 2018, 9:47:24 AM11/7/18
to emulab...@googlegroups.com, Pieter Becue
FYI: We have a Slack channel for emulab admins. If you do Slack, we can send you
an invite to the channel. Send us the email you would like us to use.

Leigh

Reply all
Reply to author
Forward
0 new messages