-
Notifications
You must be signed in to change notification settings - Fork 4
Update SSL certs
Bess Sadler edited this page Apr 10, 2020
·
3 revisions
The SSL certs for *-etd.library.emory.edu must be provided by Emory because they are for an emory.edu
domain. We have nagios monitoring that should give us lots of lead time to know when they will expire. When the SSL certs are less than a few months from expiring, ask someone at Emory to give us updated certs. These are usually provided via email, slack, or a freshdesk ticket.
- Start with qa-etd.library.emory.edu. Do all the steps there, to ensure everything works as expected, then go back and repeat for staging, and if all of that goes smoothly move on to production.
- Ensure you have an AMI snapshot of the system, in case anything goes wrong you can restore to that and start over.
- Check out the
emory-cm
github repository at https://github.com/curationexperts/emory-cm. Make sure to follow the instructions in the README there about checking it out recursively:git clone --recurse git@github.com:curationexperts/emory-cm.git
- Ensure you have the DCE ansible vault password. It should go into a file called
~/.vault_pass.txt
on your local system, and you should have a line likeexport ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt
in your.bashrc
or.zshrc
file, whatever you use to set up your UNIX environment. - Now you should be able to decrypt the
emory_ssl.yml
file: cd emory-cm/roles/emory_ssl/vars
ansible-vault decrypt emory_ssl.yml
- Once it is decrypted, you can edit the
emory_ssl.yml
file. This is where all of the actual certs are stored, and they get decrypted and written to the correct place on the system via an ansible script. Editemory_ssl.yml
and replace the parts of that file with the updated certs you received from Emory. - Encrypt the file again:
ansible-vault encrypt emory_ssl.yml
- Now run the playbook:
ansible-playbook update_ssl.yml --extra-vars "host=qa"