Renewing ganeti certificates of old cluster
686 views
Skip to first unread message
John N.
Jul 7, 2018, 5:46:31 AM7/7/18
to ganeti
Hi,
I still have a Debian 7 with ganeti 2.9.6 cluster which is hopefully meant to be taken out of prod soon but in the mean time I have noticed that the ganeti certificates are expiring:
Sat Jul 7 10:54:02 2018 - WARNING: cluster: While verifying /var/lib/ganeti/rapi.pem: Certificate expires in about 8 days
Sat Jul 7 10:54:02 2018 - WARNING: cluster: While verifying /var/lib/ganeti/server.pem: Certificate expires in about 8 days
Sat Jul 7 10:54:02 2018 - WARNING: cluster: While verifying /var/lib/ganeti/spice.pem: Certificate expires in about 8 days
Sat Jul 7 10:54:02 2018 - WARNING: cluster: While verifying /var/lib/ganeti/spice-ca.pem: Certificate expires in about 8 days
I would now like to renew all of them and based on the documentation (http://docs.ganeti.org/ganeti/2.12/html/cluster-keys-replacement.html) I listed below the commands I will need to apply on the master node in order to renew these certs:
openssl req -new -newkey rsa:1024 -days 1825 -nodes -x509 -keyout /var/lib/ganeti/rapi.pem -out /var/lib/ganeti/rapi.pem -batch
openssl req -new -newkey rsa:1024 -days 1825 -nodes -x509 -keyout /var/lib/ganeti/server.pem -out /var/lib/ganeti/server.pem -batch
openssl req -new -newkey rsa:1024 -days 1825 -nodes -x509 -keyout /var/lib/ganeti/spice.pem -out /var/lib/ganeti/spice.pem -batch
openssl req -new -newkey rsa:1024 -days 1825 -nodes -x509 -keyout /var/lib/ganeti/spice-ca.pem -out /var/lib/ganeti/spice-ca.pem -batch
chmod 0400 /var/lib/ganeti/*.pem
/etc/init.d/ganeti restart
gnt-cluster copyfile /var/lib/ganeti/server.pem
gnt-cluster command /etc/init.d/ganeti restart
Could someone confirm that this is correct? Also if this goes wrong, nothing should happen to the ganeti instances, right?
Cheers,
John
I still have a Debian 7 with ganeti 2.9.6 cluster which is hopefully meant to be taken out of prod soon but in the mean time I have noticed that the ganeti certificates are expiring:
Sat Jul 7 10:54:02 2018 - WARNING: cluster: While verifying /var/lib/ganeti/rapi.pem: Certificate expires in about 8 days
Sat Jul 7 10:54:02 2018 - WARNING: cluster: While verifying /var/lib/ganeti/server.pem: Certificate expires in about 8 days
Sat Jul 7 10:54:02 2018 - WARNING: cluster: While verifying /var/lib/ganeti/spice.pem: Certificate expires in about 8 days
Sat Jul 7 10:54:02 2018 - WARNING: cluster: While verifying /var/lib/ganeti/spice-ca.pem: Certificate expires in about 8 days
I would now like to renew all of them and based on the documentation (http://docs.ganeti.org/ganeti/2.12/html/cluster-keys-replacement.html) I listed below the commands I will need to apply on the master node in order to renew these certs:
openssl req -new -newkey rsa:1024 -days 1825 -nodes -x509 -keyout /var/lib/ganeti/rapi.pem -out /var/lib/ganeti/rapi.pem -batch
openssl req -new -newkey rsa:1024 -days 1825 -nodes -x509 -keyout /var/lib/ganeti/server.pem -out /var/lib/ganeti/server.pem -batch
openssl req -new -newkey rsa:1024 -days 1825 -nodes -x509 -keyout /var/lib/ganeti/spice.pem -out /var/lib/ganeti/spice.pem -batch
openssl req -new -newkey rsa:1024 -days 1825 -nodes -x509 -keyout /var/lib/ganeti/spice-ca.pem -out /var/lib/ganeti/spice-ca.pem -batch
chmod 0400 /var/lib/ganeti/*.pem
/etc/init.d/ganeti restart
gnt-cluster copyfile /var/lib/ganeti/server.pem
gnt-cluster command /etc/init.d/ganeti restart
Could someone confirm that this is correct? Also if this goes wrong, nothing should happen to the ganeti instances, right?
Cheers,
John
Sascha Lucas
Jul 9, 2018, 3:03:38 AM7/9/18
to gan...@googlegroups.com
Hi John,
> I still have a Debian 7 with ganeti 2.9.6 cluster
I've also some 2.9 clusters.
> (http://docs.ganeti.org/ganeti/2.12/html/cluster-keys-replacement.html)
...
> Could someone confirm that this is correct? Also if this goes wrong, nothing
> should happen to the ganeti instances, right?
I confirm that the doc-link above, paragraph "On older versions, which don’t
have this command" worked for me with ganeti-2.9 last year.
And yes, your instances keep running/unaffected.
Thanks, Sascha.
> I still have a Debian 7 with ganeti 2.9.6 cluster
> (http://docs.ganeti.org/ganeti/2.12/html/cluster-keys-replacement.html)
...
> Could someone confirm that this is correct? Also if this goes wrong, nothing
> should happen to the ganeti instances, right?
have this command" worked for me with ganeti-2.9 last year.
And yes, your instances keep running/unaffected.
Thanks, Sascha.
John N.
Jul 13, 2018, 1:20:11 PM7/13/18
to ganeti
Thank you Sascha for confirming. I just renewed all the 4 certs now and it worked smoothly...
Cheers,
J.
Cheers,
J.
Reply all
Reply to author
Forward
0 new messages