update knowledgebase

common/docs/knowledgeBase/certificate-maintenance.txt

+NOTES:
+-  The handling certificate renewal mechansim has changed!
+Now, the domains (1.80 and safeyme.com) generates there own certificates using the
+linuxserver/letsencrypt image.
+currently, the mcx-front-emd.yml runs the "letsencrypt"
+which runs the linuxserver/letsencrypt image.
+
+-  certificates are generated into /opt/mcz/config-letsencrypt/keys/letsencrypt
+
+-  nginx configuration file on domain machine:
+/opt/mcz/config-letsencrypt/nginx/site-confs/default
+
+- subdomain machines (such as 72 or 244) runs now an nginx image as "front-end"
+config file: default.conf is located at: opt/mcx/config/front-end
+
+-  certificate location in nginx default file:
+ssl_certificate /config/keys/letsencrypt/fullchain.pem;
+ssl_certificate_key /config/letsencrypt//keys/privkey.pem;
+
+-  install a certifcate on a sub-domain:
+   1. copy a valid crtificate directory as tar from 1.80 like:
+   example: scp root@172.16.1.80:/opt/mcz/config-letsencrypt.1803.tar.gz root@172.16.1.72/opt/mcz/
+   2. stop front-end
+   3. cd /opt/mcz
+   4. mv config-letsencrypt config-letsencrypt_last
+   5. tar xvf config-letsencrypt.1803.tar.gz
+
+
+-  nginx error logs
+   tailf /tmp/log/error.log
+   nginx access logs
+   tailf /tmp/log/access.log
+
+
+- all sub-domain should run as front-end the nginx image:
+  example of ngin configuration in tml:
+
+  front-end:
+    image: nginx
+    environment:
+      OTP_SERVER: "ipgallery-mcz.com:8099"
+      KIBANA_SERVER: "elk:5601"
+      CAMERA_STREAM: "62.90.201.74:9081"
+      CAMERA_API: "62.90.201.74:9090"
+      PUBLIC_SAFETY_CAMERA: "24.172.188.211:16000"
+      TRANSPORTATION_SERVER: "transportation:50035"
+      PARKING_SERVER: "parking:50055"
+      PUBLIC_SAFETY_PORT_50005_TCP_ADDR: "public-safety"
+      PUBLIC_SAFETY_PORT_50005_TCP_PORT: "50005"
+      UI_API_PORT_8080_TCP_ADDR: "ui-api"
+      PUBLIC_SAFETY_IC_PORT_50004_TCP_ADDR: "public-safety-ic"
+      SRG_PORT_7681_TCP_ADDR: "srg"
+      SRG_PORT_7681_TCP_PORT: "7681"
+    ports:
+      - "443:443"
+    volumes:
+      - "/opt/mcz/config-letsencrypt/:/config"
+      - "/opt/mcx/config/front-end:/etc/nginx/conf.d"
+      - "/tmp/log:/var/log/nginx"
+    networks:
+      - backend

common/docs/knowledgeBase/ipg-howto-backup-ipg-development.txt

@@ -6,13 +6,13 @@ provide procedures to backup ipgallery dev environments.
 
 
 
 
 
 
-A. To copy dev materials rom different server(gitlab,jenkins,archiva) to file server
+A. To copy dev materials from different server(gitlab,jenkins,archiva) to file server
 ====================================================================================
 ====================================================================================
 1. enter host 1.30 (u:root, p:giptmgr)
 1. enter host 1.30 (u:root, p:giptmgr)
 2. goto /root/backup/
 2. goto /root/backup/
 3. run run_backup.sh
 3. run run_backup.sh
 this will copy all backup files from different server to file server (1.111).
 this will copy all backup files from different server to file server (1.111).
-
+A. To refresh certificate of archiva
 C. To create gitlab backup file
 C. To create gitlab backup file
 ===============================
 ===============================
 1. enter municipalitybank.com
 1. enter municipalitybank.com
@@ -26,7 +26,7 @@ B. To copy backup metrials from file server to external disk
 
 
 1. connect your external disk to your laptop
 1. connect your external disk to your laptop
 
 
-1. open fileZila and connect to file server 172.16.1.111
+2. open fileZila and connect to file server 172.16.1.111
   - open fileZila
   - open fileZila
   - connect with the following credentials
   - connect with the following credentials
     host: 172.16.1.111
     host: 172.16.1.111

common/docs/knowledgeBase/renew-certificate-for-archiva.txt

+renew-certificate-for-archiva.txt
+
+objective
+=========
+in case the archiva's cerificate expires, you need to restart the stunnel-archiva docker
+in order to read the updated certficate. since it doesn't happens automaticall.
+both gitlab & archive uses the same certificate.
+
+A. To restart stunnel-archiva
+-----------------------------
+1. verify that yiou have a valid certifcate by going into:
+url: https://municipalitybank.com/
+
+if no ssl issue occurs, the certifcate is valid.
+if not valid, perform the section [B. To renew certiftcate]
+
+
+2. login into municipalitybank.com
+> ssh root@municipalitybank.com
+passwd: giptmgrr
+
+3. goto /mnt/volume-nyc1-01
+> cd /mnt/volume-nyc1-01
+
+4. restart the stunnel-archiva docker
+> dc -f develop.yml stop stunnel-archiva
+> dc -f develop.yml rm -f stunnel-archiva
+> dc -f develop.yml up -d stunnel-archiva
+
+
+5. check that you enter the archiva with no SSL issues.
+url: https://municipalitybank.com:8081
+
+done!
+
+B. To renew gitlab & archive certifates
+---------------------------------------
+both components uses the same certificate located at:
+/mnt/volume-nyc1-01/gitlab/letsencrypt/live/municipalitybank.com
+
+
+1. login into municipalitybank.com
+> ssh root@municipalitybank.com
+passwd: giptmgrr
+
+2. to renew the certificate run the following:
+>/usr/bin/certbot renew --quiet --renew-hook "docker exec volumenyc101_gitlab_1 /usr/bin/gitlab-ctl restart nginx"
+
+this also restarts the gitlab docker in order to refresh its certifate
+you need to restart manually the stunnel-archiva as detailed in section A.
+
+
+
+
+
+
+
+