Skip to content

Update SSL certs

Bess Sadler edited this page Apr 10, 2020 · 3 revisions

Background

The SSL certs for *-etd.library.emory.edu must be provided by Emory because they are for an emory.edu domain. We have nagios monitoring that should give us lots of lead time to know when they will expire. When the SSL certs are less than a few months from expiring, ask someone at Emory to give us updated certs. These are usually provided via email, slack, or a freshdesk ticket.

How to update the certs

  1. Start with qa-etd.library.emory.edu. Do all the steps there, to ensure everything works as expected, then go back and repeat for staging, and if all of that goes smoothly move on to production.
  2. Ensure you have an AMI snapshot of the system, in case anything goes wrong you can restore to that and start over.
  3. Check out the emory-cm github repository at https://github.com/curationexperts/emory-cm. Make sure to follow the instructions in the README there about checking it out recursively: git clone --recurse git@github.com:curationexperts/emory-cm.git
  4. Ensure you have the DCE ansible vault password. It should go into a file called ~/.vault_pass.txt on your local system, and you should have a line like export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt in your .bashrc or .zshrc file, whatever you use to set up your UNIX environment.
  5. Now you should be able to decrypt the emory_ssl.yml file:
  6. cd emory-cm/roles/emory_ssl/vars
  7. ansible-vault decrypt emory_ssl.yml
  8. Once it is decrypted, you can edit the emory_ssl.yml file. This is where all of the actual certs are stored, and they get decrypted and written to the correct place on the system via an ansible script. Edit emory_ssl.yml and replace the parts of that file with the updated certs you received from Emory.
  9. Encrypt the file again: ansible-vault encrypt emory_ssl.yml
  10. Now run the playbook: ansible-playbook update_ssl.yml --extra-vars "host=qa"