When the Apache servers need their SSL certificates renewed, please just follow this guide and it should be nice and easy (easier ….)
\uD83D\uDCD8 Instructions
On a Ubuntu Linux machine (prod, stage, blue, green, Jenkins, personal PC etc)
Run the ansible playbook in the TIS-DEVOPS repo in the ansible/tasks directory called “
ssl-cert-generation-part-1.yml
“This will create a folder in the
/tmp
directory calledcerts
and will have a new private key in there and a certificate signing request.Open the Certificate Signing Request (CSR) with a text editor and copy all of the information in the file.
now go to the SSL providers control panel (current Namecheap) and start the activation process by pasting the CSR info into the relevant text box.
You will probably have to set up a record DNS entry in the tis.nhs.uk Route53 DNS settings on AWS to confirm that we are allowed to create certs for this domain.
Once the cert has been authorised and you are able to download it, take the zip file created and place it in the same directory that the CSR was created in (
/tmp/certs
)Now run the ansible playbook in the TIS-DEVOPS repo in the ansible/tasks directory called “
ssl-cert-generation-part-2.yml
“This will extract all the certs from the zip file, do a file conversion for one of the files and rename the certs to the same as we currently use in apache, it will tidy up the directory also so that there will only be 3 files left in that directory.
fullchain.pem
,privkey.pem
andSTAR_tis_nhs_uk.crt
Add these files to the TIS-DEVOPS git repo in the following location
TIS-DEVOPS/ansible/files/ssl
Now encrypt the certs with the following command
ansible-vault encrypt fullchain.pem privkey.pem STAR_tis_nhs_uk.crt
Once encrypted (certs will look like this:
$ANSIBLE_VAULT;1.1;AES2563738653439633763666
…..) then push the changes to a new branch and get them merged into the master branch.You can now start to replace the existing certs by running the following playbook:
ssl-replace.yml
in the ansible tasks directory with the following command:ansible-playbook -i ../inventory/stage ssl-replace.yml
You can add the--check
flag to run the command to see what will change without actually changing anything before running the command fully.Change the commenting line in the ssl-replace.yml file that starts
hosts:
to switch between the apps serversblue,green
(that will run with the inventory of stage, prod and nimdta) and thejenkins,monserver
hosts that will need the build inventory specified.
Any time you run an ansible playbook you can add the --check
flag, but be warned, if a following stage needs something that's not been created like a file or folder for example, then the job will crash as it cant test. Then its just time for a leap of faith
Add Comment