update knowledgebase

49b7a0ff · Adi Amir · 92eb52dc · 49b7a0ff
Commit 49b7a0ff authored Jun 19, 2019 by Adi Amir
Showing with 55 additions and 21 deletions
common/docs/knowledgeBase/certificate-maintenance.txt
--- a/common/docs/knowledgeBase/certificate-maintenance.txt
+++ b/common/docs/knowledgeBase/certificate-maintenance.txt
-NOTES:
+OBJECTIVE:
 -  The handling certificate renewal mechansim has changed!
-Now, the domains (1.80 and safeyme.com) generates there own certificates using the
-linuxserver/letsencrypt image.
-currently, the mcx-front-emd.yml runs the "letsencrypt"
-which runs the linuxserver/letsencrypt image.
+Now, the domains: ipgallery-mcz.com(1.80) and safeyme.com generates there own certificates using the
+letsencrypt image (in letsencrypt.yml).

-  certificates are generated into /opt/mcz/config-letsencrypt/keys/letsencrypt

-  nginx configuration file on domain machine:
-/opt/mcz/config-letsencrypt/nginx/site-confs/default
+==========================================================================================
+To re-generate a new valid certficate on one of the domains(safeyme.com/ipgallery-mcz.com)
+==========================================================================================

- subdomain machines (such as 72 or 244) runs now an nginx image as "front-end"
-config file: default.conf is located at: opt/mcx/config/front-end
+1. login
+> ssh root@ipgallery-mcz.com

-  certificate location in nginx default file:
-ssl_certificate /config/keys/letsencrypt/fullchain.pem;
-ssl_certificate_key /config/letsencrypt//keys/privkey.pem;
+2. backup the current certtficate
+>cd /opt/mcz
+>tar czvf config-letsencrypt-20190616.tar.gz config-letsencrypt
+
+3. stop the frontend
+>dc -f mcx-frontend.yml stop
+
+4. generate a new certifcate - run the docker:  letsencrypt
+>dc -f letsencrypt.yml up
+Ctrl+C too stop !
+
+5. restart the system
+>./sys-down
+>./sys-up
+
+6. browse to: https://ipgallery-mcz.com/control/app/main/control.html
+and verify that the sites is loaded without any certificate issue.
+
+NOTES:
+- Each renewal is valid for 3 months !!!
+- Certificates are generated into /opt/mcz/config-letsencrypt/keys/letsencrypt
+-  nginx configuration file on domain machine: /opt/mcz/config-letsencrypt/nginx/site-confs/default

-  install a certifcate on a sub-domain:
-   1. copy a valid crtificate directory as tar from 1.80 like:
-   example: scp root@172.16.1.80:/opt/mcz/config-letsencrypt.1803.tar.gz root@172.16.1.72/opt/mcz/
-   2. stop front-end
-   3. cd /opt/mcz
-   4. mv config-letsencrypt config-letsencrypt_last
-   5. tar xvf config-letsencrypt.1803.tar.gz
+=================================================================
+To update certifcate on one of the subdomain machines (72 or 244)
+=================================================================
+
+1. make a tar from a valid config-letsencrypt directory in 1.80: config-letsencrypt.valid-20190616.tar.gz
+
+1. copy a valid crtificate directory as A tar from 1.80.
+   example: scp root@172.16.1.80:/opt/mcz/config-letsencrypt.valid-20190616.tar.gz root@172.16.1.72/opt/mcz/
+
+2. stop front-end
+>dc -f mcx-frontend.yml stop
+
+3. open the new config-letsencrypt (copied from 1.80) under /opt/mcz
+>cd /opt/mcz
+>mv config-letsencrypt config-letsencrypt_last
+>tar xvf config-letsencrypt.1803.tar.gz


 -  nginx error logs
   tailf /tmp/log/error.log
   nginx access logs
   tailf /tmp/log/access.log
+https
+
+NOTES:
+- subdomain machines (such as 72 or 244) runs now an nginx image as "front-end"
+config file: default.conf is located at: opt/mcx/config/front-end

+-  certificate location in nginx default file:
+ssl_certificate /config/keys/letsencrypt/fullchain.pem;
+ssl_certificate_key /config/letsencrypt//keys/privkey.pem;

 - all sub-domain should run as front-end the nginx image:
  example of ngin configuration in tml:
-
+https
  front-end:
    image: nginx
    environment: