Environment
Situation
How to renew expired eDirectory server certificates.
Server certificates are invalid or expired.
Update Kafka keystore with renewed certificates.
Resolution
1. Ensure EDirectory Certificates are valid and renew if
necessary.
run
# ls -al
/etc/ssl/servercerts
this lists the
certificate files, make sure the output is similar to this and contains the
servercert.pem and serverkey.pem files.
total 24
drwxr-xr-x 3 root root 4096 Mar 5 14:40 ./
drwxr-xr-x 5 root
root 4096 Feb 4 17:21 ../
-rw------- 1 root
root 4317 Mar 5 14:40 servercert.pem
-rw------- 1 root
root 1679 Mar 5 14:40 serverkey.pem
then, run
# openssl x509 -in
/etc/ssl/servercerts/servercert.pem -noout -text
to check the
validity, from the output, in the "Validity" section of the output.
Certificate:
Data:
Version: 3
(0x2)
Serial Number:
66:f1:88:59:00:41:ae:a3:c1:9b:5f:cb:a7:89:af:49:2e:e7:7c:90
Signature
Algorithm: sha256WithRSAEncryption
Issuer:
OU=Organizational CA, O=CISMEDIASP2
Validity
Not
Before: Mar 5 05:00:00 2019 GMT
Not After
: Mar 5 05:00:00 2021 GMT
...
If the
certificates have expired, please follow the steps in the link provided below
to renew the edirectory certificates
https://support.microfocus.com/kb/doc.php?id=7013080
Confirm again that
the certificates are now valid,
# ls -al
/etc/ssl/servercerts
total 24
drwxr-xr-x 3 root
root 4096 Mar 5 14:40 ./
drwxr-xr-x 5 root
root 4096 Feb 4 17:21 ../
drwx------ 2 root
root 4096 Jul 19 2020 backup/
-rw------- 1 root
root 4317 Mar 5 14:40 servercert.pem
-rw------- 1 root
root 1679 Mar 5 14:40 serverkey.pem
# openssl x509 -in
/etc/ssl/servercerts/servercert.pem -noout -text
Certificate:
Data:
Version: 3
(0x2)
Serial Number:
66:f1:88:59:00:41:ae:a3:c1:9b:5f:cb:a7:89:af:49:2e:e7:7c:90
Signature
Algorithm: sha256WithRSAEncryption
Issuer:
OU=Organizational CA, O=CISMEDIASP2
Validity
Not
Before: Mar 5 07:06:55 2021 GMT
Not After
: Mar 5 07:06:55 2023 GMT
...
2. Replacing CIS Certificates:
CIS certificates
are at "/etc/opt/novell/cis/certs"
# ls -lh
/etc/opt/novell/cis/certs
total 20
drwxrwxrwx+ 1 root
root 4096 Mar 5 14:50 ./
drwxrwxrwx 1 root root 4096 Feb 4 17:37 ../
-rw-rw-rw- 1 root root 1675 Jul 20 2020 eprivatekey.pem
-rw-rw-rw- 1 root root
426 Jul 20 2020 epublickey.pem
drwxrwxrwx+ 1 root
root 4096 Jan 18 15:01 rootCAs/
-rw-rw-rw- 1 root root 4317 Mar 5 14:50 servercert.pem
-rw-rw-rw- 1 root root 1679 Mar 5 14:50 serverkey.pem
Copy and replace
the NEW servercert.pem, serverkey.pem and the SSCert.pem from the edirectory
locations to their corresponding CIS locations.
# cp
/etc/ssl/servercerts/servercert.pem /etc/opt/novell/cis/certs/servercert.pem
# cp
/etc/ssl/servercerts/serverkey.pem /etc/opt/novell/cis/certs/serverkey.pem
# cp
/etc/opt/novell/certs/SSCert.pem /etc/opt/novell/cis/certs/rootCAs/SSCert.pem
# ls -lh /etc/opt/novell/cis/certs
-rw-rw-rw- 1 root root 1675 Jul 20 2020 eprivatekey.pem
-rw-rw-rw- 1 root root
426 Jul 20 2020 epublickey.pem
drwxrwxrwx+ 1 root
root 4096 Jan 18 15:01 rootCAs/
-rw-rw-rw- 1 root root 4317 Apr 27 18:45 servercert.pem
-rw-rw-rw- 1 root root 1679 Apr 27 18:45 serverkey.pem
3. Recreate Kafka keystore for the new certificates.
Run the
kafka_keystore_update.sh script present in the Additional Information section.
Make sure
the file has execute permissions and is run through dos2unix to correct the
line endings if it is being downloaded to a windows system.
# dos2unix
./kafka_keystore_update.sh
# chmod +x
./kafka_keystore_update.sh
# sh
./kafka_keystore_update.sh
Verify that the
jks files in "/etc/opt/novell/cis/kafka/certs/" have been updated and
their modification time is recent...
# ls -lh
/etc/opt/novell/cis/kafka/certs/
-rw-r--r-- 1 root
root 4.4K Apr 27 18:45 server.keystore.jks
-rw-r--r-- 1 root
root 4.8K Apr 27 18:45 server.p12
-rw-r--r-- 1 root
root 1.4K Apr 27 18:45 server.truststore.jks
4. Restart CIS services for them to pick up the new
certificates...
# systemctl
restart oes-cis-fluentbit.service
# systemctl
restart oes-cis-configuration.service
# systemctl
restart docker.service
It is preferable to restart the whole server if possible
since the edirectory certificates have changed and this might be consumed by
other services apart from CIS.
Cause
Server certificates are invalid and/or expired and need to
be re-created and the corresponding CIS certificate copies and Kafka keystores
should be updated.