... | ... | @@ -727,8 +727,8 @@ run Puppet on the Puppet server. This is documented in the |
|
|
|
|
|
### Server certificate renewal
|
|
|
|
|
|
The LDAP server uses a self-signed CA certificate to establish TLS connections
|
|
|
with its clients, both on port 389 (via STARTTLS) and port 636.
|
|
|
The LDAP server uses a self-signed CA certificate that clients use to
|
|
|
verify TLS connections, both on port 389 (via STARTTLS) and port 636.
|
|
|
|
|
|
When the `db.torproject.org.pem` certificate nears its expiration date, Nagios
|
|
|
will spawn warnings like this on all nodes:
|
... | ... | @@ -751,9 +751,9 @@ Then the new certificate can be generated using `certtool`: |
|
|
--outfile db.torproject.org.pem \
|
|
|
--template db.torproject.org.cfg
|
|
|
|
|
|
cat db.torproject.org.pem
|
|
|
Copy the contents of the certificate on your machine:
|
|
|
|
|
|
Copy the contents of the certificate on your machine.
|
|
|
cat db.torproject.org.pem
|
|
|
|
|
|
To bootstrap the new certificate, follow these steps first on `alberti`:
|
|
|
|
... | ... | @@ -771,7 +771,11 @@ manually on `pauli` (the Puppet server): |
|
|
puppet agent --disable "updating LDAP certificate"
|
|
|
|
|
|
# replace the old certificate manually
|
|
|
nano /etc/ssl/certs/db.torproject.org.pem
|
|
|
cat > /etc/ssl/certs/db.torproject.org.pem <<EOF
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
[...]
|
|
|
-----END CERTIFICATE-----
|
|
|
EOF
|
|
|
|
|
|
# fully restart Puppet
|
|
|
systemctl stop apache2
|
... | ... | |