4:22 p.m.
On sie 25, Damiano Venturin wrote:
On 8/25/20 2:22 PM, Maciej Delmanowski wrote:
> The 'pki' role configures the 'pki-realm' script to renew the
> certificates
> preiodically, so you don't need to do that yourself.
I see the cron job in /etc/cron.d which runs weekly
"/usr/local/lib/pki/pki-realm schedule"
which is a 2500 lines bash script accepting init, new-realm, schedule
as options
Now how can I test that the script is working as expected (beside
waiting 90 days) ?
It's tricky. The script checks the validity of the certificate and only
requests a new one when the current is near the end of the valid period, to
avoid hitting Let's Encrypt rate limits. However, if you got the certificate
just fine the first time, the renewal should work. If it doesn't, there will
be an error.log file present in the realm directory with details about the
issue.
You can schedule the next run from the root account by executing:
/usr/local/lib/pki/pki-realm schedule
The script will check all the realms and any ACME certs will be renewed if
they are near the end of their vailidity period. I suppose that if you want to
really test the mechanism, you could modify the 'pki-realm' script to check
validity and renew when there are 90+ days left, but I would do that only with
acme-staging CA to be sure.
The whole 'pki' role was designed in 2015 so it's pretty old and needs to be
refreshed at some point. The scripts could also be rewritten in Python to be
more manageable, but that's a bit more involved. I'm currently working on
rewritten 'debops' scripts, which could incorporate the support for PKI on the
Ansible Controller side; when that's done, the 'pki' role can then be
redesigned to improve the PKI management on the remote side as well. It will
take some time, hopefully in October the new scripts will be ready.
-- Maciej