Currently Meta servers (meta*.org, a-1.thiss.io and a-staging-1.thiss.io), load balancer servers (md*.org and static.*org, md-lb.thiss.io. static.thiss.io, static.aws2.thiss.io) uses SUNET Infra certs.
We monitor them in https://monitor.seamlessaccess.org/nagios4/.
STEP BY STEP GUIDE
- Follow https://wiki.sunet.se/display/sunetops/How+to+create+infra+cert cert according to the guide
- Check under
nunoc-ops/ca.sunet.se/overlay/var/lib/ca/infra/requests/<peer/server/client>to see whether the curent CSR was created as peer, server or client. - Certificate type for load balancer servers are '
peer'and Meta servers are 'server' - The key needs to be added to the server manually.
- To get the cert on the server you need to manually run the cronjob for example
/usr/bin/dl_ici_cert infra static.aws1.geant.eu.seamlessaccess.org - run cosmos on the servers,
run-cosmos -v - Check the validity by running
openssl x509 -text -noout -in /etc/ssl/private/<fqdn>_infra.pem - Check the validity by running
openssl x509 -text -noout -in /etc/ssl/private/<fqdn>_haproxy.crt,applies only to load balancer servers. - if both chains and key are updated (will have the same expiry date one year from now) then you can restart service.
Check the service is working by running:
- Run:
curl -k https://localhost/onmd.*.orgservers, will show metadata information - Run:
curl -k https://localhost/manifest.jsononstatic.*.orgservers will show right version - Run:
curl -k https://localhostonmeta.*.orgservers will show avaialbe metadata files - There are no alarms in https://monitor.seamlessaccess.org/nagios4/.