Monitoring Cert and CA expiry on LTS1 Deployments
There are 3 categories of certificates and their CAs on a Platform9 Edge Cloud Deployment, each with different expiry times. This document covers how these CAs and certs can be monitored for expiry as well as manual steps to either regenerate the CA or ensure that the generated certs continue to be valid.
Monitoring Certs
Monitoring Hostagent CA and Certs
- ssh to DU VM (192.168.120.254) from DU host.
cd /etc/pf9/certs
- There can be v[1-9] directories created here as part of the upgrade process (so, cd to the latest v* dir). If you don't see a v* directory, it implies that the cert version is v0, and these certs are present in the above directory itself. Within each cert version, you should see a
ca/
directory as well as ahostagent/
directory. - To check the CA expiry, go into
ca/
directory and runopenssl x509 -in cert.pem -noout -startdate -enddate
- To check the hostagent certs expiry, go into
hostagent/
directory and runopenssl x509 -in cert.pem -noout -startdate -enddate
If you observe that the CA or certs are expiring, please following the manual steps mentioned in the below article to regenerate them: https://platform9.com/kb/PEC/how-to-regenerate-certs-if-hostagent-certificates-have-expired
Monitoring Sunpike CA and Certs
ssh to DU VM (192.168.120.254) and run the below steps:
sudo su
export VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'")
export VAULT_ADDR=http://127.0.0.1:8200
/usr/local/bin/vault read pki/cert/ca -format=json | jq -r '.data.certificate'| openssl x509 -noout -dates
# TTL
/usr/local/bin/vault read pki/roles/sunpike | grep ttl
If you observe that the Sunpike CA is expiring, please follow the manual steps mentioned in the following article to regenerate it: https://platform9.com/kb/PEC/refresh-sunpike-ca
To check the sunpike-kube-apiserver
certificate expiry:
# docker exec -it <sunpike-kube-apiserver-container-ID> sh -c "openssl s_client -connect localhost -port 6443 -showcerts 2>/dev/null </dev/null | openssl x509 -noout -dates"
Monitoring Cluster CA and Certs
ssh to DU VM (192.168.120.254) and run the below steps:
sudo su
export VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'")
export VAULT_ADDR=http://127.0.0.1:8200
export PATH=$PATH:/usr/local/bin
secrets_list=$(vault secrets list | awk '$2 == "pki" {print $1}' | grep "pmk-ca")
echo "$secrets_list" | while read secret; do echo -n "Certificate for Cluster: "; echo -n "$secret" | awk -F 'pmk-ca-' '{print $2}'; vault read "${secret}cert/ca" -format=json | jq -r '.data.certificate'| openssl x509 -noout -dates; done
# TTL
cat /etc/pf9-vault.d/server-config.hcl | grep ttl
This outputs the date on which the CA is created and the date on which it expires, per cluster. If you observe that the certs are expiring, please follow the manual steps mentioned in the following article to regenerate it: https://platform9.com/kb/PEC/refresh-cluster-ca