@@ -113,8 +113,8 @@ On each controller:
113113
114114with ``docker volume rm ``.
115115
116- Installing and Updating TLS Certificates
117- ----------------------------------------
116+ Installing TLS Certificates
117+ ---------------------------
118118
119119|tls_setup |
120120
@@ -127,7 +127,12 @@ file as ``secrets_kolla_external_tls_cert``. Use a command of this form:
127127 kayobe# ansible-vault edit ${KAYOBE_CONFIG_PATH}/secrets.yml --vault-password-file=|vault_password_file_path|
128128
129129
130- ``secrets_kolla_external_tls_cert ``.
130+ ``secrets_kolla_external_tls_cert ``. The certificates should be installed in
131+ this order:
132+
133+ * TLS certificate for the |project_name | OpenStack endpoint |public_endpoint_fqdn |
134+ * Any intermediate certificates
135+ * The TLS certificate private key
131136
132137In ``${KAYOBE_CONFIG_PATH}/kolla.yml ``, set the following:
133138
@@ -143,9 +148,23 @@ be updated in Keystone:
143148
144149 kayobe# kayobe overcloud service reconfigure
145150
151+
152+ -------------------------
153+
154+ Check the expiry date on an installed TLS certificate from a host that can
155+ reach the |project_name | OpenStack APIs:
156+
157+ .. code-block :: console
158+ :substitutions:
159+
160+ openstack# openssl s_client -connect |public_endpoint_fqdn|:443 2> /dev/null | openssl x509 -noout -dates
161+
162+ NOTE *: Blackbox monitoring can check certificates automatically
163+ and alert when expiry is approaching.
164+
146165To update an existing certificate, for example when it has reached expiration,
147- change the value of ``secrets_kolla_external_tls_cert `` and run the following
148- command:
166+ change the value of ``secrets_kolla_external_tls_cert ``, in the same order as
167+ above. Run the following command:
149168
150169.. code-block :: console
151170
0 commit comments