Commit 657a80d2 by Adi Amir

update knowledgebase

parent 7c7931e3
NOTES:
- The handling certificate renewal mechansim has changed!
Now, the domains (1.80 and safeyme.com) generates there own certificates using the
linuxserver/letsencrypt image.
currently, the mcx-front-emd.yml runs the "letsencrypt"
which runs the linuxserver/letsencrypt image.
- certificates are generated into /opt/mcz/config-letsencrypt/keys/letsencrypt
- nginx configuration file on domain machine:
/opt/mcz/config-letsencrypt/nginx/site-confs/default
- subdomain machines (such as 72 or 244) runs now an nginx image as "front-end"
config file: default.conf is located at: opt/mcx/config/front-end
- certificate location in nginx default file:
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/letsencrypt//keys/privkey.pem;
- install a certifcate on a sub-domain:
1. copy a valid crtificate directory as tar from 1.80 like:
example: scp root@172.16.1.80:/opt/mcz/config-letsencrypt.1803.tar.gz root@172.16.1.72/opt/mcz/
2. stop front-end
3. cd /opt/mcz
4. mv config-letsencrypt config-letsencrypt_last
5. tar xvf config-letsencrypt.1803.tar.gz
- nginx error logs
tailf /tmp/log/error.log
nginx access logs
tailf /tmp/log/access.log
- all sub-domain should run as front-end the nginx image:
example of ngin configuration in tml:
front-end:
image: nginx
environment:
OTP_SERVER: "ipgallery-mcz.com:8099"
KIBANA_SERVER: "elk:5601"
CAMERA_STREAM: "62.90.201.74:9081"
CAMERA_API: "62.90.201.74:9090"
PUBLIC_SAFETY_CAMERA: "24.172.188.211:16000"
TRANSPORTATION_SERVER: "transportation:50035"
PARKING_SERVER: "parking:50055"
PUBLIC_SAFETY_PORT_50005_TCP_ADDR: "public-safety"
PUBLIC_SAFETY_PORT_50005_TCP_PORT: "50005"
UI_API_PORT_8080_TCP_ADDR: "ui-api"
PUBLIC_SAFETY_IC_PORT_50004_TCP_ADDR: "public-safety-ic"
SRG_PORT_7681_TCP_ADDR: "srg"
SRG_PORT_7681_TCP_PORT: "7681"
ports:
- "443:443"
volumes:
- "/opt/mcz/config-letsencrypt/:/config"
- "/opt/mcx/config/front-end:/etc/nginx/conf.d"
- "/tmp/log:/var/log/nginx"
networks:
- backend
...@@ -6,13 +6,13 @@ provide procedures to backup ipgallery dev environments. ...@@ -6,13 +6,13 @@ provide procedures to backup ipgallery dev environments.
A. To copy dev materials rom different server(gitlab,jenkins,archiva) to file server A. To copy dev materials from different server(gitlab,jenkins,archiva) to file server
==================================================================================== ====================================================================================
1. enter host 1.30 (u:root, p:giptmgr) 1. enter host 1.30 (u:root, p:giptmgr)
2. goto /root/backup/ 2. goto /root/backup/
3. run run_backup.sh 3. run run_backup.sh
this will copy all backup files from different server to file server (1.111). this will copy all backup files from different server to file server (1.111).
A. To refresh certificate of archiva
C. To create gitlab backup file C. To create gitlab backup file
=============================== ===============================
1. enter municipalitybank.com 1. enter municipalitybank.com
...@@ -26,7 +26,7 @@ B. To copy backup metrials from file server to external disk ...@@ -26,7 +26,7 @@ B. To copy backup metrials from file server to external disk
1. connect your external disk to your laptop 1. connect your external disk to your laptop
1. open fileZila and connect to file server 172.16.1.111 2. open fileZila and connect to file server 172.16.1.111
- open fileZila - open fileZila
- connect with the following credentials - connect with the following credentials
host: 172.16.1.111 host: 172.16.1.111
......
renew-certificate-for-archiva.txt
objective
=========
in case the archiva's cerificate expires, you need to restart the stunnel-archiva docker
in order to read the updated certficate. since it doesn't happens automaticall.
both gitlab & archive uses the same certificate.
A. To restart stunnel-archiva
-----------------------------
1. verify that yiou have a valid certifcate by going into:
url: https://municipalitybank.com/
if no ssl issue occurs, the certifcate is valid.
if not valid, perform the section [B. To renew certiftcate]
2. login into municipalitybank.com
> ssh root@municipalitybank.com
passwd: giptmgrr
3. goto /mnt/volume-nyc1-01
> cd /mnt/volume-nyc1-01
4. restart the stunnel-archiva docker
> dc -f develop.yml stop stunnel-archiva
> dc -f develop.yml rm -f stunnel-archiva
> dc -f develop.yml up -d stunnel-archiva
5. check that you enter the archiva with no SSL issues.
url: https://municipalitybank.com:8081
done!
B. To renew gitlab & archive certifates
---------------------------------------
both components uses the same certificate located at:
/mnt/volume-nyc1-01/gitlab/letsencrypt/live/municipalitybank.com
1. login into municipalitybank.com
> ssh root@municipalitybank.com
passwd: giptmgrr
2. to renew the certificate run the following:
>/usr/bin/certbot renew --quiet --renew-hook "docker exec volumenyc101_gitlab_1 /usr/bin/gitlab-ctl restart nginx"
this also restarts the gitlab docker in order to refresh its certifate
you need to restart manually the stunnel-archiva as detailed in section A.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment