Monitoring Cert and CA expiry on LTS1 Deployments

There are 3 categories of certificates and their CAs on a Platform9 Edge Cloud Deployment, each with different expiry times. This document covers how these CAs and certs can be monitored for expiry as well as manual steps to either regenerate the CA or ensure that the generated certs continue to be valid.

Monitoring Certs

Monitoring Hostagent CA and Certs

ssh to DU VM (192.168.120.254) from DU host.
cd /etc/pf9/certs
There can be v[1-9] directories created here as part of the upgrade process (so, cd to the latest v* dir). If you don't see a v* directory, it implies that the cert version is v0, and these certs are present in the above directory itself. Within each cert version, you should see a ca/ directory as well as a hostagent/ directory.
To check the CA expiry, go into ca/ directory and run openssl x509 -in cert.pem -noout -startdate -enddate
To check the hostagent certs expiry, go into hostagent/ directory and run openssl x509 -in cert.pem -noout -startdate -enddate

If you observe that the CA or certs are expiring, please following the manual steps mentioned in the below article to regenerate them: https://platform9.com/kb/PEC/how-to-regenerate-certs-if-hostagent-certificates-have-expired

Monitoring Sunpike CA and Certs

ssh to DU VM (192.168.120.254) and run the below steps:

Bash
    
​x
 
sudo suexport VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'")export VAULT_ADDR=http://127.0.0.1:8200/usr/local/bin/vault read pki/cert/ca -format=json | jq -r '.data.certificate'| openssl x509 -noout -dates​# TTL ​/usr/local/bin/vault read pki/roles/sunpike | grep ttl
Copy

If you observe that the Sunpike CA is expiring, please follow the manual steps mentioned in the following article to regenerate it: https://platform9.com/kb/PEC/refresh-sunpike-ca

To check the sunpike-kube-apiserver certificate expiry:

Bash
    
# docker exec -it <sunpike-kube-apiserver-container-ID> sh -c "openssl s_client -connect localhost -port 6443 -showcerts 2>/dev/null </dev/null | openssl x509 -noout -dates"
Copy

Monitoring Cluster CA and Certs

ssh to DU VM (192.168.120.254) and run the below steps:

Bash
    
sudo suexport VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'")export VAULT_ADDR=http://127.0.0.1:8200export PATH=$PATH:/usr/local/binsecrets_list=$(vault secrets list | awk '$2 == "pki" {print $1}' | grep "pmk-ca")echo "$secrets_list" | while read secret; do echo -n "Certificate for Cluster: "; echo -n "$secret" | awk -F 'pmk-ca-' '{print $2}'; vault read "${secret}cert/ca" -format=json | jq -r '.data.certificate'| openssl x509 -noout -dates; done​​# TTL cat /etc/pf9-vault.d/server-config.hcl | grep ttl
Copy

This outputs the date on which the CA is created and the date on which it expires, per cluster. If you observe that the certs are expiring, please follow the manual steps mentioned in the following article to regenerate it: https://platform9.com/kb/PEC/refresh-cluster-ca

Last updated on

Was this page helpful?