Monitoring Cert and CA expiry on LTS1 Deployments

There are 3 categories of certificates and their CAs on a Platform9 Edge Cloud Deployment, each with different expiry times. This document covers how these CAs and certs can be monitored for expiry as well as manual steps to either regenerate the CA or ensure that the generated certs continue to be valid.

Monitoring Certs

Monitoring Hostagent CA and Certs

ssh to DU VM (192.168.120.254) from DU host.
cd /etc/pf9/certs
There can be v[1-9] directories created here as part of the upgrade process (so, cd to the latest v* dir). If you don't see a v* directory, it implies that the cert version is v0, and these certs are present in the above directory itself. Within each cert version, you should see a ca/ directory as well as a hostagent/ directory.
To check the CA expiry, go into ca/ directory and run openssl x509 -in cert.pem -noout -startdate -enddate
To check the hostagent certs expiry, go into hostagent/ directory and run openssl x509 -in cert.pem -noout -startdate -enddate

If you observe that the CA or certs are expiring, please following the manual steps mentioned in the below article to regenerate them: https://platform9.com/kb/PEC/how-to-regenerate-certs-if-hostagent-certificates-have-expired

Monitoring Sunpike CA and Certs

ssh to DU VM (192.168.120.254) and run the below steps:

sudo su
export VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'")
export VAULT_ADDR=http://127.0.0.1:8200
/usr/local/bin/vault read pki/cert/ca -format=json | jq -r '.data.certificate'| openssl x509 -noout -dates

# TTL 

/usr/local/bin/vault read pki/roles/sunpike | grep ttl

If you observe that the Sunpike CA is expiring, please follow the manual steps mentioned in the following article to regenerate it: https://platform9.com/kb/PEC/refresh-sunpike-ca

To check the sunpike-kube-apiserver certificate expiry:

# docker exec -it <sunpike-kube-apiserver-container-ID> sh -c "openssl s_client -connect localhost -port 6443 -showcerts 2>/dev/null </dev/null | openssl x509 -noout -dates"

Monitoring Cluster CA and Certs

ssh to DU VM (192.168.120.254) and run the below steps:

sudo su
export VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'")
export VAULT_ADDR=http://127.0.0.1:8200
export PATH=$PATH:/usr/local/bin
secrets_list=$(vault secrets list | awk '$2 == "pki" {print $1}' | grep "pmk-ca")
echo "$secrets_list" | while read secret; do echo -n "Certificate for Cluster: "; echo -n "$secret" | awk -F 'pmk-ca-' '{print $2}'; vault read "${secret}cert/ca" -format=json | jq -r '.data.certificate'| openssl x509 -noout -dates; done


# TTL 
cat /etc/pf9-vault.d/server-config.hcl | grep ttl

This outputs the date on which the CA is created and the date on which it expires, per cluster. If you observe that the certs are expiring, please follow the manual steps mentioned in the following article to regenerate it: https://platform9.com/kb/PEC/refresh-cluster-ca

PreviousCluster Upgrade Failure Due To Sunpike Services Being Down.NextHow To Use Custom Certs In The Management Plane

Last updated 3 months ago

Good morning

hashtagMonitoring Certs

hashtagMonitoring Hostagent CA and Certs

hashtagMonitoring Sunpike CA and Certs

hashtagMonitoring Cluster CA and Certs

Monitoring Certs

Monitoring Hostagent CA and Certs

Monitoring Sunpike CA and Certs

Monitoring Cluster CA and Certs