Skip to main content

hello, I would like to know if there is another way to renew a TSL certificate used to access IFS without reinstalling the entire kubernetes cluster?

Hi Regis,

  1. Prepare an updated TLS certificate.
  2. Copy the new TLS certificate to ifsroot\config\certs.
  3. Open ifsroot\config\ifscloud-values.yaml.
  4. Update and verify "certificateFile" and "certificatePassword" as appropriate.
  5. Rerun mtinstaller action.
installer.cmd --set action=mtinstaller

Then verify the certificate validity dates. An example with openssl:

openssl s_client -connect <url>:443 | openssl x509 -noout -dates

Best regards -- Ben


@K4uRegisC For Kubernetes-related certificates, you can refer to the following article. Two methods are mentioned for renewing the certificate.

Follow the below mention instruction to verify all the certificates related to microk8s.

  1. Login to middleware server of the environment (SSH)
  2. Check if certificates are available in below path
    1. /var/snap/microk8s/current/certs
  3. Now enter below command to all .crt files
    1. openssl x509 -in <.crt path>/<crt name>.crt -noout -enddate

The ingress certificate on the system_url can be changed with the normal ifsinstaller/installer - make sure all pods are restarted afterwards - also make sure ifs-monitoring is deinstalled first and then reapplied afterwards….

The k8s API certificate will as far as i know require a reinstall of the cluster (I have tried the instructions from microk8s which failed for me). A reinstall is also required to be on the later versions of k8s - which is desirable from a security patching perspective, A k8s cluster will need patching (reinstall) at least yearly and then the cert expiry is not an issue anymore.   :)​​


@hhanse Agreed. As discussed, the best option would be to create the cluster annually, as this will automatically renew all the related certificates under Kubernetes (k8s).


Hi,

I folowed these steps but it doesn’t work:

  1. Prepare an updated TLS certificate.
  2. Copy the new TLS certificate to ifsroot\config\certs.
  3. Open ifsroot\config\ifscloud-values.yaml.
  4. Update and verify "certificateFile" and "certificatePassword" as appropriate.
  5. Rerun mtinstaller action.
installer.cmd --set action=mtinstaller

The secret is not updated, maybe I need to delete it first ? ifs-ingress.crt secret


Have you restarted the ingress pods as well?

kubectl delete pod ingress-ingress-nginx-controller-475lv -n ifs-ingress

 


Hello, no need to restart the ingress pod, to resolve this issue I need to delete  ifs-ingress.crt secret


Your comment surprised me… i had to look it up in the Helm chart.

Delete of  ifs-ingress.crt should only be required if you want a new autogenerated selfsigned cert (valid for 10 years). If you supply a new cert via the ifscloud-values.yaml - it should update the existing ifs-ingress.crt


maybe that can be explained by this line in secrets.yaml

 

{{- if or ( not ( lookup "v1" "Secret" $.Values.global.namespace "ifs-ingress.crt" ) ) .Values.regenerateCert  -}}


the line before is

{{ if not .Values.tlsSecrets.ifsIngressCert.key }}

{{- if or ( not ( lookup "v1" "Secret" $.Values.global.namespace "ifs-ingress.crt" ) ) .Values.regenerateCert  -}}

which mean that if you have passed you own cert then the lookup for the "ifs-ingress.crt" will never happen.


Reply