... | ... | @@ -725,6 +725,62 @@ operator to first create a `host` snippet on the LDAP server, and then |
|
|
run Puppet on the Puppet server. This is documented in the
|
|
|
[installation notes](new-machine).
|
|
|
|
|
|
### Server certificate renewal
|
|
|
|
|
|
The LDAP server uses a self-signed CA certificate to establish TLS connections
|
|
|
with its clients, both on port 389 (via STARTTLS) and port 636.
|
|
|
|
|
|
When the `db.torproject.org.pem` certificate nears its expiration date, Nagios
|
|
|
will spawn warnings like this on all nodes:
|
|
|
|
|
|
SSL cert - db.torproject.org is WARNING: Certificate will expire
|
|
|
|
|
|
To renew this certificate, log on to `alberti.torproject.org` and create a text
|
|
|
file named `db.torproject.org.cfg` with this content:
|
|
|
|
|
|
ca
|
|
|
signing_key
|
|
|
encryption_key
|
|
|
expiration_days = 730
|
|
|
cn = db.torproject.org
|
|
|
|
|
|
Then the new certificate can be generated using `certtool`:
|
|
|
|
|
|
certtool --generate-self-signed --load-privkey /etc/ldap/db.torproject.org.key --outfile db.torproject.org.pem
|
|
|
cat db.torproject.org.pem
|
|
|
|
|
|
Copy the contents of the certificate on your machine.
|
|
|
|
|
|
To bootstrap the new certificate, follow these steps first on `alberti`:
|
|
|
|
|
|
puppet agent --disable "updating LDAP certificate"
|
|
|
cp db.torproject.org.pem /etc/ssl/certs/db.torproject.org.pem
|
|
|
systemctl restart slapd.service
|
|
|
|
|
|
You can then verify OpenLDAP is working correctly by running:
|
|
|
|
|
|
ldapsearch -n -v -ZZ -x -H ldap://db.torproject.org
|
|
|
|
|
|
If it works, the process can be continued by deploying the certificate
|
|
|
manually on `pauli` (the Puppet server):
|
|
|
|
|
|
puppet agent --disable "updating LDAP certificate"
|
|
|
|
|
|
# replace the old certificate manually
|
|
|
nano /etc/ssl/certs/db.torproject.org.pem # replace with the new cert
|
|
|
|
|
|
# fully restart Puppet
|
|
|
systemctl stop apache2
|
|
|
systemctl start apache2
|
|
|
|
|
|
At this point, the new certificate can be replaced on the `tor-puppet`
|
|
|
repository, in `modules/ldap_client_config/files/db.torproject.org.pem`.
|
|
|
|
|
|
Lastly, run `puppet agent --enable` on `alberti` and `pauli` and trigger a
|
|
|
Puppet run on all nodes:
|
|
|
|
|
|
cumin -b 5 '*' 'paoc'
|
|
|
|
|
|
## Disaster recovery
|
|
|
|
|
|
The LDAP server is mostly built by hand and should therefore be
|
... | ... | |