We now have an expired emulab.pem certificate. So we failed at "ideally you want to do this before the certificate expires..." :-)
I followed the steps in your previous email (see below), and am now at the point of "initcerts"
ps: we didn't update the testbed yet, because we are running a very old version, on an old Freebsd. We plan to upgrade our servers soon and will do a full reinstall at that point.
You probably want to update your testbed first. Then follow these instructions. (the location of your source and obj may differ since these instructions are for a genirack.)
These are instructions for regenerating the certificates. You
typically want to do this before the old certs expire. :-)
First off, find an object tree. On a Geni rack, the best place
is ~elabman/emulab-devel/obj.
Typically, you want to reuse the old keys so that existing certs are still
valid. But if you have let the CA expire, well then it does not matter, all
existing certs are invalid. But anyway:
boss> sudo testbed-control shutdown
boss> cd ssl
boss> sudo gmake recover-keys
boss> gmake remote-site
boss> sudo gmake remote-site-boss-install
boss> sudo scp /usr/testbed/etc/emulab.pem ops:/usr/testbed/etc
boss> sudo scp /usr/testbed/etc/ctrlnode.pem ops:/usr/testbed/etc
boss> sudo scp /usr/testbed/etc/emulab.pem ops:/etc/emulab/
boss> sudo scp /usr/testbed/etc/ctrlnode.pem ops:/etc/emulab/client.pem
If you do NOT have a real web certificate (issued by a real authority) on
boss, you need to install a new apache certificate.
boss> sudo gmake apache-install
You need to update the MFSs so that they have the new certificates.
boss> sudo localize_mfs /tftpboot/freebsd
boss> sudo localize_mfs /tftpboot/frisbee
If you have PROTOGENI defined in the defs file, you need to regen those
certificates too. First tell Utah since we have to remove you from the
current bundle before you can send in a new one. Then:
boss> sudo rm /usr/testbed/etc/.protogeni_federated
boss> sudo rm /usr/testbed/etc/.federated
boss> sudo /usr/testbed/sbin/protogeni/initcerts -r -k
Now you can restart apache and the testbed:
boss> sudo /usr/local/etc/rc.d/apache22 stop
boss> sudo /usr/local/etc/rc.d/apache22 start
boss> sudo testbed-control boot
boss> sudo reregister
boss> register_resources -f -r
And then tell Utah that your part is done, so we can add the new cert back
into bundle. Once we respond:
boss> sudo /usr/testbed/sbin/protogeni/getcacerts
And you should be good to go!