Skip to content

Instantly share code, notes, and snippets.

@oldarmyc
Last active Nov 9, 2018
Embed
What would you like to do?
SSL certs by hand AE5

To edit/set the SSL certificates by hand.

Before you being ensure that openjdk is installed. At the time of this java-1.8.0-openjdk is the current version on CentOS 7.5

yum install java-1.8.0-openjdk -y

Ensure you have your certificate and private key on the system you are running these commands.

We are creating a file certificates.yaml in order to load into the system.

Need to create the keystore.jks file that will be used by java. Note: If using Let's Encrypt use the fullchain.pem file instead of cert.pem

openssl pkcs12 -passout pass:anaconda -export -in CERT.PEM -inkey KEY.PEM -out certificate.p12 -name auth
keytool -importkeystore -deststorepass anaconda -destkeypass anaconda -destkeystore keystore.jks -srckeystore certificate.p12 -srcstoretype PKCS12 -srcstorepass anaconda -alias auth

Creating an updated root ca to use with the system. For Let's Encrypt you can get the root CA here: https://letsencrypt.org/certs/isrgrootx1.pem.txt

For RHEL based systems the path to the trusted CA is: /etc/ssl/certs/ca-bundle.trust.crt For Ubuntu based systems the path the system CA is here: /etc/ssl/certs/ca-certificates.crt

cat ROOT.CA /etc/ssl/certs/ca-bundle.trust.crt > updated-trust-ca.crt

Setup the base structure of the file, and below will add the data points to it.

cat > certificates.yaml <<EOL
apiVersion: v1
kind: Secret
metadata:
  name: anaconda-enterprise-certs
type: Opaque
data:
EOL

Adding the main domain for example test.anaconda.com SSL certificate.

printf "  tls.crt: " >> certificates.yaml
base64 -i --wrap=0 CERT.PEM >> certificates.yaml

Add the private key for the certificate

printf "\n  tls.key: " >> certificates.yaml
base64 -i --wrap=0 KEY.PEM >> certificates.yaml

Add the SAN certificate to the file. As an example *.test.anaconda.com

printf "\n  wildcard.crt: " >> certificates.yaml
base64 -i --wrap=0 CERT.PEM >> certificates.yaml

Add the private key for the SAN certificate

printf "\n  wildcard.key: " >> certificates.yaml
base64 -i --wrap=0 KEY.PEM >> certificates.yaml

Add the generated keystore that we did previously.

printf "\n  keystore.jks: " >> certificates.yaml
base64 -i --wrap=0 keystore.jks >> certificates.yaml

Add the updated root CA that we created previously.

printf "\n  rootca.crt: " >> certificates.yaml
base64 -i --wrap=0 updated-trust-ca.crt >> certificates.yaml

Adding a new line at the end of the file

printf '\n'

Copy to the share directory to use inside gravity

cp certificates.yaml /var/lib/gravity/planet/share

Enter gravity and list out your secrets

gravity enter
kubectl get secrets

We are removing one of the secrets so will take a backup just in case things go south.

kubectl get secret anaconda-enterprise-certs -o yaml --export > anaconda_certs.backup

Remove the existing secret for certs and recreate the secret from the file we placed in the share.

kubectl delete secret anaconda-enterprise-certs
kubectl create -f /ext/share/certificates.yaml

Restart the pods for the change of certificates to take affect

kubectl get pods | cut -d' ' -f1 | xargs kubectl delete pods
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment