11 Star 42 Fork 49

EdgeGallery / docs

Create your Gitee Account
Explore and code with more than 8 million developers,Free private repositories !:)
Sign up
Clone or Download
edgegallery_certificate_update 4.91 KB
Copy Edit Web IDE Raw Blame History
Edgegallery证书更新
由于edgegallery ca证书有效期仅为365天,在环境运行365天后edgegallery 环境日志会提示‘certificate have expired’,这是edgegallery 证书过期的提示,就需要去手动更新证书。
证书更行步骤:
cd conf/keys //cd到安装包的 conf/keys
rm -rf ca.crt //删除ca.crt证书
rm -rf tls.crt //删除tls.crt证书
docker images | grep deploy-tool 检查deploy-tool镜像是否存在
export CERT_VALIDITY_IN_DAYS=365
env="-e CERT_VALIDITY_IN_DAYS=$CERT_VALIDITY_IN_DAYS"
docker run $env -v /root/eg/conf/keys/:/certs edgegallery/deploy-tool:latest //把/root/eg/conf/keys/目录替换为自己环境目录,需要是绝对路径,运行此命令生成新的证书
kubectl get secret | grep mecm-mepm-ssl-secret //检查mecm-mepm-ssl-secret是否存在
kubectl delete secret mecm-mepm-ssl-secret //删除mecm-mepm-ssl-secret
kubectl get secret | grep edgegallery-ssl-secret //检查edgegallery-ssl-secret是否存在
kubectl delete secret edgegallery-ssl-secret //删除edgegallery-ssl-secret
用更新证书重新生成 mecm-mepm-ssl-secret,注意目录切换到安装目录conf/keys下
kubectl create secret generic mecm-mepm-ssl-secret --from-file=server_tls.key=tls.key --from-file=server_tls.crt=tls.crt --from-file=ca.crt=ca.crt
用更新证书重新生成 edgegallery-ssl-secret,注意目录切换到安装目录conf/keys下
v0.9~v1.1.1 生成edgegallery-ssl-secret命令:
kubectl create secret generic edgegallery-ssl-secret --from-file=keystore.p12=keystore.p12 --from-literal=keystorePassword=te9Fmv%qaq --from-literal=keystoreType=PKCS12 --from-literal=keyAlias=edgegallery --from-file=trust.cer=ca.crt --from-file=server.cer=tls.crt --from-file=server_key.pem=encryptedtls.key --from-literal=cert_pwd=te9Fmv%qaq
v1.2 生成edgegallery-ssl-secret命令:
kubectl create secret generic edgegallery-ssl-secret \
--from-file=keystore.p12=keystore.p12 \
--from-file=keystore.jks=keystore.jks \
--from-literal=keystorePassword=te9Fmv%qaq \
--from-literal=keystoreType=PKCS12 \
--from-literal=keyAlias=edgegallery \
--from-literal=truststorePassword=te9Fmv%qaq \
--from-file=trust.cer=ca.crt \
--from-file=server.cer=tls.crt \
--from-file=server_key.pem=encryptedtls.key \
--from-literal=cert_pwd=te9Fmv%qaq
更新mep secret,以下是生成证书的步骤
mkdir /root/mep_key
cd /root/mep_key
执行以下命令生成mep证书
openssl genrsa -out ca.key 2048 2>&1 >/dev/null
openssl req -new -key ca.key -subj /C=CN/ST=Peking/L=Beijing/O=edgegallery/CN=edgegallery -out ca.csr 2>&1 >/dev/null
openssl x509 -req -days 365 -in ca.csr -extensions v3_ca -signkey ca.key -out ca.crt 2>&1 >/dev/null
openssl genrsa -out mepserver_tls.key 2048 2>&1 >/dev/null
openssl rsa -in mepserver_tls.key -aes256 -passout pass:te9Fmv%qaq -out mepserver_encryptedtls.key 2>&1 >/dev/null
echo -n te9Fmv%qaq > mepserver_cert_pwd 2>&1 >/dev/null
openssl req -new -key mepserver_tls.key -subj /C=CN/ST=Beijing/L=Beijing/O=edgegallery/CN=edgegallery -out mepserver_tls.csr 2>&1 >/dev/null
openssl x509 -req -days 365 -in mepserver_tls.csr -extensions v3_req -CA ca.crt -CAkey ca.key -CAcreateserial -out mepserver_tls.crt 2>&1 >/dev/null
openssl genrsa -out jwt_privatekey 2048 2>&1 >/dev/null
openssl rsa -in jwt_privatekey -pubout -out jwt_publickey 2>&1 >/dev/null
openssl rsa -in jwt_privatekey -aes256 -passout pass:te9Fmv%qaq -out jwt_encrypted_privatekey 2>&1 >/dev/null
kubectl get secret -n mep | grep pg-secret //检查pg-secret是否存在
kubectl delete secret -n mep pg-secret //删除pg-secret
kubectl get secret -n mep | grep mep-ssl //检查mep-ssl是否存在
kubectl delete secret -n mep mep-ssl //删除mep-ssl
kubectl get secret -n mep | grep mepauth-secret //检查mepauth-secret是否存在
kubectl delete secret -n mep mepauth-secret //删除mepauth-secret
用新证书更新pg-secret
kubectl -n mep create secret generic pg-secret --from-literal=pg_admin_pwd=admin-Pass123 --from-literal=kong_pg_pwd=kong-Pass123 --from-file=server.key=mepserver_tls.key --from-file=server.crt=mepserver_tls.crt
用新证书更新mep-ssl
kubectl -n mep create secret generic mep-ssl --from-literal=root_key="$(openssl rand -base64 256 | tr -d '\n' | tr -dc '[[:alnum:]]' | cut -c -256)" --from-literal=cert_pwd=te9Fmv%qaq --from-file=server.cer=mepserver_tls.crt --from-file=server_key.pem=mepserver_encryptedtls.key --from-file=trust.cer=ca.crt
用新证书更新mepauth-secret
kubectl -n mep create secret generic mepauth-secret --from-file=server.crt=mepserver_tls.crt --from-file=server.key=mepserver_tls.key --from-file=ca.crt=ca.crt --from-file=jwt_publickey=jwt_publickey --from-file=jwt_encrypted_privatekey=jwt_encrypted_privatekey
secret更新完成后环境就可以正常使用
1
https://gitee.com/edgegallery/docs.git
git@gitee.com:edgegallery/docs.git
edgegallery
docs
docs
master

Search