Deprecated content ! Please read before going any further on this page !
The procedure to request certificates has changed since a few months. The new procedure is described here.
So, what is written below is not valid anymore and needs to be adapted...
Update and request server certificates
All certificates for our machines will have to be updated every year. We will receive mails starting 2 weeks before the certificates expire.
the decision was taken to update all the certificates at once and Stein De Weirdt wrote a script to do just that.
The last update of the certificates happened on 2 mai 2008 on a cloudy but warm afternoon.
Log in on ccq3 and generate all the necessary certificates with this tool:
the tools help output gives:
Usage: --mode Mode: new,renew,conv,get (default: renew) renew: make new server requests from existing certificates (in directory --dir) and upload the requests get: - will make quattor templates in <--dir>/private - public key need to be put in <--dir>/PemDir (to be created) - the matching private key is looked for in <--dir> new: make new server request (with DN attributes --att and create the requests/key in --dir) --dir Read/write templates to/from dir (default: .) --debug Set debug mode. (default: False) --att DN Attributes, comma separated list eg (OU=IIHE,CN=gridce.iihe.ac.be,emailAddressfirstname.lastname@example.org) - assumes C=BE and O=BEGRID - emailAddress is mandatory (and should be last att)
1. Create/renew certificate
Create New Certificate
To create a new certificate, do:
/opt/CB6/tmp/src/begrid/cb-client/certificate_tool.py --mode=new --dir=/root/new-cert/ --att=OU=IIHE,CN=behar050.iihe.ac.be,emailAddressemail@example.com --debug
To renew all certificates, first remove all .pem files in /root/new-cert/. Move the .tpl files from /root/new-cert/private to /root/new-cert/. Then, remove everything from the 2 subdirectories (private and PemDir)
/opt/CB6/tmp/src/begrid/cb-client/certificate_tool.py --mode=renew --dir=/root/new-cert/ --debug
2.All the keys need to be uploaded one by one to the belnet site. Go to https://gridra.belnet.be , click "Request a Certificate", choose server from the drop down box. Upload one generate certificate (the ones with -req). On OU needs to be added. For this chose 'VUB'.
3. All the generated certificates will be send via mail. Download them all (choose only the one ending in _iihe_ac_be.pem from every mail) and put them in /root/new-cert/PemDir and do:
/opt/CB6/tmp/src/begrid/cb-client/certificate_tool.py --mode=get --dir=/root/new-cert/ --debug
all the certificates templates will be saved in /root/new-cert/private.
4. next step is to update all the quattor files and to make the clients connect for their new certificates.
For this, put the private templates on ccq3, /opt/CB6/private or /opt/CB5/private, in the appropriate glite version dir.
cd /opt/CB6/svncheck/ ./runcheck
5. This will broadcast a message to all the machines and they will respond within 5 minutes and start updating. All services except one will update fine
6. We now check that the update was complete and for this we first log in to maite.
grep filecopy /var/log/ncm-cdispd.log
Now, check the certificate:
openssl x509 -in /etc/grid-security/hostcert.pem -noout -dates
And make sure the new end date is indeed a year from now.
copy the certificates so that they can be used by srm:
cp /etc/grid-security/hostcert.pem /var/glite/rgma/.certs/ cp /etc/grid-security/hostkey.pem /var/glite/rgma/.certs/
and restart srm. All should be running.
7. Restart maite once the new certificates have been propagated.
probably not needed at all. 8. We now perform a final check: log in to any UI and do
also try to copy some files from storage to the use disk using dccp. All directories should be listed.
9. The certificate for rgma on mon needs to be deployed by hand:
cd /var/glite/rgma/.certs/ cp /etc/grid-security/*pem ./ /etc/init.d/tomcat5 stop /etc/init.d/tomcat5 start
If the test ops for mon does not turn into green, reboot mon.
10. Restart argus services on argus-emi
service argus restart
If this is not enough think of restarting the node.