Skip to content

Instantly share code, notes, and snippets.

@rjhowe

rjhowe/gist:a4749b94e9b57dc065814b8385a557af

Last active February 21, 2017 19:52
Show Gist options
  • Save rjhowe/a4749b94e9b57dc065814b8385a557af to your computer and use it in GitHub Desktop.
Save rjhowe/a4749b94e9b57dc065814b8385a557af to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.md

On the 1st master, the master with the directory /etc/etcd/ca

  1. Back up the certs

  2. Create new CA from existing openssl.cnf

# cd /etc/etcd/
# export etcd_openssl_conf=/etc/etcd/ca/openssl.cnf
# sed -i 's/365/1825/' $etcd_openssl_conf
# openssl req -config ${etcd_openssl_conf} -newkey rsa:4096
    -keyout new-ca.key -new -out new-ca.crt
    -x509 -extensions etcd_v3_ca_self -batch -nodes
    -days 1825
  1. Create certs for each etcd host. In this example I will create certs for a host named etcd-1.openshift.com
# export NEW_ETCD="etcd-1.openshift.com"

# host $NEW_ETCD
etcd-1.openshift.com has address 192.168.0.15

# export CN=$NEW_ETCD
# export SAN="IP:192.168.0.15"
# export PREFIX="./generated_certs/etcd-$CN/"
  • Server Certs
# openssl req -new -keyout ${PREFIX}server.key \
-config ca/openssl.cnf \
-out ${PREFIX}new-server.csr \
-reqexts etcd_v3_req -batch -nodes \
-subj /CN=$CN

# openssl ca -name etcd_ca -config ca/openssl.cnf \
-out ${PREFIX}new-server.crt \
-in ${PREFIX}new-server.csr \
-extensions etcd_v3_ca_server -batch
  • Peer Certs
# openssl req -new -keyout ${PREFIX}peer.key \
-config ca/openssl.cnf \
-out ${PREFIX}new-peer.csr \
-reqexts etcd_v3_req -batch -nodes \
-subj /CN=$CN

# openssl ca -name etcd_ca -config ca/openssl.cnf \
-out ${PREFIX}new-peer.crt \
-in ${PREFIX}new-peer.csr \
-extensions etcd_v3_ca_peer -batch
  1. Copy certs over to the etcd host
# cp ca.crt ${PREFIX}
# cp etcd.conf ${PREFIX}
# tar -czvf ${PREFIX}${CN}.tgz -C ${PREFIX} .
# scp ${PREFIX}${CN}.tgz  $CN:/etc/etcd/
# ssh $CN
# cd /etc/etcd/
# tar -xf <FILE>.tgz
  1. Create master client etcd certs https://github.com/openshift/openshift-ansible/blob/master/roles/etcd_client_certificates/tasks/main.yml
The master client certs that need to be replaced in /etc/origin/master/ on each master.  
  ca: master.etcd-ca.crt
  certFile: master.etcd-client.crt
  keyFile: master.etcd-client.key


# cp /etc/ectd/new-ca.crt /etc/origin/master/etc/origin/master/
# export etcd_openssl_conf=/etc/etcd/ca/openssl.cnf

# openssl req -new -keyout master.etcd-client.key
    -config ${etcd_openssl_conf}
    -out master.etcd-client.csr
    -reqexts etcd_v3_req -batch -nodes
    -subj /CN={{ etcd_hostname }}

 # openssl ca -name {{ etcd_ca_name }} -config ${etcd_openssl_conf}
      -out master.etcd-client.crt
      -in master.etcd-client.csr
      -batch

Then we would need to copy these over the the masters replacing in /etc/origin/master/ on each master. master.etcd-ca.crt master.etcd-client.crt master.etcd-client.key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment