UpdateCertificates: Difference between revisions

From T2B Wiki
Jump to navigation Jump to search
 
(12 intermediate revisions by 3 users not shown)
Line 1: Line 1:


== Deprecated content ! Please read before going any further on this page ! ==
== Update and request server certificates ==
The procedure to request certificates has changed since a few months. The new procedure is described [http://wikit.iihe.ac.be/index.php/SSL_Certificates here].


So, what is written below is not valid anymore and needs to be adapted...
== Update and request server certificates ==
[[PageOutline]]
----
=== Introduction ===
=== Introduction ===
All certificates for our machines will have to be updated every year. We will receive mails starting 2 weeks before the certificates expire. <br>
All certificates for our machines will have to be updated every year. We will receive mails starting 2 weeks before the certificates expire. <br>
Line 15: Line 9:
=== Procedure ===
=== Procedure ===


Log in on '''ccq3''' and generate all the necessary certificates with this tool:
Log in on '''qnat''' and generate all the necessary certificates with this tool:
<pre>
<pre>
/opt/CB6/tmp/src/begrid/cb-client/certificate_tool.py  
/root/new-cert/certificate_tool.py
</pre>
</pre>
the tools help output gives:
the tools help output gives:
Line 41: Line 35:
To create a new certificate, do:
To create a new certificate, do:
<pre>
<pre>
/opt/CB6/tmp/src/begrid/cb-client/certificate_tool.py --mode=new --dir=/root/new-cert/ --att=OU=IIHE,CN=behar050.iihe.ac.be,emailAddress=grid_admin@listserv.vub.ac.be --debug
/root/new-cert/certificate_tool.py --mode=new --dir=/root/new-cert/ --att=OU=IIHE,CN=behar050.iihe.ac.be,emailAddress=grid_admin@listserv.vub.ac.be --debug
</pre>
</pre>
Then, upload the -req- file to digicert. Only Shkelzen and Olivier have the correct authorizations to do this. Ask them to do it for you.
==== Renew Certificates ====
==== Renew Certificates ====
To renew all certificates, first remove all .pem files in /root/new-cert/. Move the .tpl files from /root/new-cert/private to /root/new-cert/. Then, remove everything from the 2 subdirectories (private and PemDir)<br>
With the old crt (that can be found in the -req- files, you can renew your certificateS. Most should have an automatic renewal, so nothing needs to be done.<br>
Then Do:
 
'''1.'''
 
Download all the zip files containing the certificates and put them in /root/new-cert/Zips . To avoid mixing things up, better to first empty this directory<br>
 
 
Remove everything from the 2 subdirectories private and PemDir. Their contents will be regenerated<br>
issue:
<pre>
<pre>
/opt/CB6/tmp/src/begrid/cb-client/certificate_tool.py --mode=renew --dir=/root/new-cert/ --debug
/root/new-cert/certificate_tool.py --mode=extract --dir=/root/new-cert/
</pre>
</pre>  
'''2.'''All the keys need to be uploaded one by one to the belnet site. Go to https://gridra.belnet.be , click "Request a Certificate", choose server from the drop down box. Upload one generate certificate (the ones with -req). On OU needs to be added. For this chose 'VUB'. <br> <br>
Look in PemDir, there should be as many .pem files as you put .zip files. <br>
If not, some certificates might be in the wrong format. You can always download the correct one from the DigiCert interface. Just click on the certificate number and download in crt format. <br>
 
 
'''2.'''


'''3.''' All the generated certificates will be send via mail. Download them all (choose only the one ending in _iihe_ac_be.pem from every mail) and put them in /root/new-cert/PemDir and do:
Next, issue
<pre>
<pre>
/opt/CB6/tmp/src/begrid/cb-client/certificate_tool.py --mode=get  --dir=/root/new-cert/ --debug
/root/new-cert/certificate_tool.py --mode=get  --dir=/root/new-cert/ --debug
</pre>
</pre>
all the certificates templates will be saved in /root/new-cert/private. <br> <br>
all the certificates templates will be saved in /root/new-cert/private. <br> <br>
'''4.''' next step is to update all the quattor files and to make the clients connect for their new certificates. <br>
 
For this, put the private templates on ccq3, /opt/CB6/private or /opt/CB5/private, in the appropriate glite version dir.
 
'''3.'''  
 
next step is to update all the quattor files and to make the clients connect for their new certificates. <br>
For this, put the private templates on '''qclig''', /opt/CB9/private.
<pre>
<pre>
cd /opt/CB6/svncheck/
cd /opt/CB9/svncheck/
./runcheck
./runcheck
</pre>
</pre>
'''5.''' This will broadcast a message to all the machines and they will respond within 5 minutes and start updating. All services except one will update fine <br> <br>
 
'''6.''' We now check that the update was complete and for this we first log in to '''maite'''.  
 
'''4.'''  
 
This will broadcast a message to all the machines and they will respond within 5 minutes and start updating. All services except one will update fine <br> <br>
'''5.'''  
 
We now check that the update was complete and for this we first log in to '''maite'''.  
<pre>
<pre>
grep filecopy /var/log/ncm-cdispd.log
grep filecopy /var/log/ncm-cdispd.log
Line 94: Line 112:
If this is not enough think of restarting the node.
If this is not enough think of restarting the node.


If the DN of the machine changes (new certificate provider, ...) then its need to be added explicitly into the template of argus. The affected variable is PAP_HOST_DN.  
If the DN of the machine changes (new certificate provider, ...) then its need to be added explicitly into the template of argus. The affected variable is PAP_HOST_DN.  <br>
'''IMPORTANT:''' the DN can change even while staying with the same provider! Check the old and the new DN with
 
<pre>
openssl x509 -in /etc/grid-security/hostcert.pem -noout -subject
</pre>
 
'''9.''' (Optional) Adapt GOCDB server entry
 
If the DN of the machine changes (especially needed for APEL) then go to the GOCDB page and edit the corresponding entry to reflect the new DN.  






{{TracNotice|{{PAGENAME}}}}
{{TracNotice|{{PAGENAME}}}}

Latest revision as of 11:52, 3 May 2017

Update and request server certificates

Introduction

All certificates for our machines will have to be updated every year. We will receive mails starting 2 weeks before the certificates expire.
the decision was taken to update all the certificates at once and Stein De Weirdt wrote a script to do just that.
The last update of the certificates happened on 2 mai 2008 on a cloudy but warm afternoon.

Procedure

Log in on qnat and generate all the necessary certificates with this tool:

/root/new-cert/certificate_tool.py

the tools help output gives:

Usage: 
    --mode    Mode: new,renew,conv,get (default: renew)
                    renew: make new server requests from existing certificates (in directory --dir) and upload the requests
                    get: - will make quattor templates in <--dir>/private
                         - public key need to be put in <--dir>/PemDir (to be created)
                         - the matching private key is looked for in <--dir>
                    new: make new server request (with DN attributes --att and create the requests/key in --dir)
    --dir     Read/write templates to/from dir (default: .)
  
    --debug   Set debug mode. (default: False) 
    --att     DN Attributes, comma separated list eg (OU=IIHE,CN=gridce.iihe.ac.be,emailAddress=grid_admin@listserv.vub.ac.be) 
              - assumes C=BE and O=BEGRID 
              - emailAddress is mandatory (and should be last att)

1. Create/renew certificate

Create New Certificate

To create a new certificate, do:

/root/new-cert/certificate_tool.py --mode=new --dir=/root/new-cert/ --att=OU=IIHE,CN=behar050.iihe.ac.be,emailAddress=grid_admin@listserv.vub.ac.be --debug

Then, upload the -req- file to digicert. Only Shkelzen and Olivier have the correct authorizations to do this. Ask them to do it for you.

Renew Certificates

With the old crt (that can be found in the -req- files, you can renew your certificateS. Most should have an automatic renewal, so nothing needs to be done.

1.

Download all the zip files containing the certificates and put them in /root/new-cert/Zips . To avoid mixing things up, better to first empty this directory


Remove everything from the 2 subdirectories private and PemDir. Their contents will be regenerated
issue:

/root/new-cert/certificate_tool.py --mode=extract --dir=/root/new-cert/

Look in PemDir, there should be as many .pem files as you put .zip files.
If not, some certificates might be in the wrong format. You can always download the correct one from the DigiCert interface. Just click on the certificate number and download in crt format.


2.

Next, issue

/root/new-cert/certificate_tool.py --mode=get  --dir=/root/new-cert/ --debug

all the certificates templates will be saved in /root/new-cert/private.


3.

next step is to update all the quattor files and to make the clients connect for their new certificates.
For this, put the private templates on qclig, /opt/CB9/private.

cd /opt/CB9/svncheck/
./runcheck


4.

This will broadcast a message to all the machines and they will respond within 5 minutes and start updating. All services except one will update fine

5.

We now check that the update was complete and for this we first log in to maite.

grep filecopy /var/log/ncm-cdispd.log

Or alternatively

less /var/log/ncm/component-filecopy.log

Now, check the certificate:

openssl x509 -in /etc/grid-security/hostcert.pem -noout -dates

And make sure the new end date is indeed a year from now.


7. We now perform a final check: log in to any UI and do

srmls srm://maite.iihe.ac.be:8443/pnfs/iihe/cms

also try to copy some files from storage to the use disk using dccp. All directories should be listed.

8. Restart argus service on argus

service argus stop
service argus start

If this is not enough think of restarting the node.

If the DN of the machine changes (new certificate provider, ...) then its need to be added explicitly into the template of argus. The affected variable is PAP_HOST_DN.
IMPORTANT: the DN can change even while staying with the same provider! Check the old and the new DN with

openssl x509 -in /etc/grid-security/hostcert.pem -noout -subject

9. (Optional) Adapt GOCDB server entry

If the DN of the machine changes (especially needed for APEL) then go to the GOCDB page and edit the corresponding entry to reflect the new DN.


Template:TracNotice