From 36a6a59d558f4164477c3a538c4d3f7084f20484 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 1 Dec 2025 11:54:10 -0500 Subject: [PATCH] renew certs 7 days before expire --- salt/ca/init.sls | 2 +- salt/kafka/ssl.sls | 8 ++++---- salt/nginx/enabled.sls | 2 +- salt/ssl/init.sls | 24 ++++++++++++------------ 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 895e8235a..ccbe5e39e 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -40,7 +40,7 @@ pki_public_ca_crt: - subjectKeyIdentifier: hash - authorityKeyIdentifier: keyid:always, issuer - days_valid: 3650 - - days_remaining: 0 + - days_remaining: 7 - backup: True - replace: False - require: diff --git a/salt/kafka/ssl.sls b/salt/kafka/ssl.sls index 04b6b4ba7..77aedf9eb 100644 --- a/salt/kafka/ssl.sls +++ b/salt/kafka/ssl.sls @@ -44,7 +44,7 @@ kafka_client_crt: - signing_policy: kafka - private_key: /etc/pki/kafka-client.key - CN: {{ GLOBALS.hostname }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -92,7 +92,7 @@ kafka_crt: - signing_policy: kafka - private_key: /etc/pki/kafka.key - CN: {{ GLOBALS.hostname }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -153,7 +153,7 @@ kafka_logstash_crt: - signing_policy: kafka - private_key: /etc/pki/kafka-logstash.key - CN: {{ GLOBALS.hostname }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -198,4 +198,4 @@ kafka_logstash_pkcs12_perms: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 4f57063c2..8af48a766 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -64,7 +64,7 @@ managerssl_crt: - private_key: /etc/pki/managerssl.key - CN: {{ GLOBALS.hostname }} - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 0cef8c1e3..9dfef9fc8 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -84,7 +84,7 @@ influxdb_crt: - private_key: /etc/pki/influxdb.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -123,7 +123,7 @@ redis_crt: - signing_policy: registry - private_key: /etc/pki/redis.key - CN: {{ GLOBALS.hostname }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -165,7 +165,7 @@ etc_elasticfleet_crt: - private_key: /etc/pki/elasticfleet-server.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -222,7 +222,7 @@ etc_elasticfleet_logstash_crt: - private_key: /etc/pki/elasticfleet-logstash.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -283,7 +283,7 @@ etc_elasticfleetlumberjack_crt: - private_key: /etc/pki/elasticfleet-lumberjack.key - CN: {{ GLOBALS.node_ip }} - subjectAltName: DNS:{{ GLOBALS.hostname }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -350,7 +350,7 @@ etc_elasticfleet_agent_crt: - signing_policy: elasticfleet - private_key: /etc/pki/elasticfleet-agent.key - CN: {{ GLOBALS.hostname }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -412,7 +412,7 @@ etc_filebeat_crt: - private_key: /etc/pki/filebeat.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -483,7 +483,7 @@ registry_crt: - signing_policy: registry - private_key: /etc/pki/registry.key - CN: {{ GLOBALS.manager }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -521,7 +521,7 @@ regkeyperms: - private_key: /etc/pki/elasticsearch.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -582,7 +582,7 @@ conf_filebeat_crt: - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -636,7 +636,7 @@ chownfilebeatp8: - private_key: /etc/pki/elasticsearch.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -686,7 +686,7 @@ elasticfleet_kafka_crt: - private_key: /etc/pki/elasticfleet-kafka.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30