Add epoxy_certs utility for certificate rotation #113
Conversation
There was a problem hiding this comment.
epoxy_certs to generate a key and certificate and then inspecting them to be sure they are what we expect, and they do appear to be.
Reviewed 3 of 3 files at r1, all commit messages.
Reviewable status:complete! 1 of 1 approvals obtained (waiting on @stephen-soltesz)
cmd/epoxy_certs/certutil.go line 1 at r1 (raw file):
// Package certutil implements utility methods for managing x509 certificates and RSA keys.
Tiny nit: this comment references package certutil, when the actual package name is main.
There was a problem hiding this comment.
Reviewable status:
cmd/epoxy_certs/certutil.go line 1 at r1 (raw file):
Previously, nkinkade wrote…
Tiny nit: this comment references package
certutil, when the actual package name ismain.
Good catch, fixed.
There was a problem hiding this comment.
Reviewable status: 1 change requests, 0 of 1 approvals obtained (waiting on @stephen-soltesz)
cmd/epoxy_certs/README.md line 50 at r3 (raw file):
```sh cat ca-cert.pem >> server-cert.pem
This helps, but one small addition would be helpful to mention would be that the user needs to somehow get hold of the CA root cert and private key. I was wondering how it was going to work when I first ran it, and epoxy_certs complained that it couldn't find ca-cert.pem, which is when I reached out to you for their location.
There was a problem hiding this comment.
Reviewable status: 1 change requests, 0 of 1 approvals obtained (waiting on @nkinkade)
cmd/epoxy_certs/README.md line 50 at r3 (raw file):
Previously, nkinkade wrote…
This helps, but one small addition would be helpful to mention would be that the user needs to somehow get hold of the CA root cert and private key. I was wondering how it was going to work when I first ran it, and epoxy_certs complained that it couldn't find ca-cert.pem, which is when I reached out to you for their location.
Done. PTAL?
There was a problem hiding this comment.
Reviewed 1 of 1 files at r2, 1 of 1 files at r5, all commit messages.
Reviewable status: 1 change requests, 0 of 1 approvals obtained (waiting on @stephen-soltesz)
cmd/epoxy_certs/README.md line 53 at r5 (raw file):
```sh cat ca-cert.pem >> server-cert.pem
On second though, one other small change would be for this command to instead be:
cat server-cert.pem ca-cert.pem > server-certs.pem
The file generated by epoxy_certs is server-cert.pem (singular), while the required file in the private bucket is server-certs.pem (plural).
In this vein, it might also be useful to mention here where the new files should be placed in GCS, and that a redeployment of epoxy will after that be sufficient to deploy them.
There was a problem hiding this comment.
Reviewed 1 of 1 files at r6, all commit messages.
Reviewable status:
There was a problem hiding this comment.
Reviewable status:
cmd/epoxy_certs/README.md line 53 at r5 (raw file):
Previously, nkinkade wrote…
On second though, one other small change would be for this command to instead be:
cat server-cert.pem ca-cert.pem > server-certs.pemThe file generated by epoxy_certs is server-cert.pem (singular), while the required file in the private bucket is server-certs.pem (plural).
In this vein, it might also be useful to mention here where the new files should be placed in GCS, and that a redeployment of epoxy will after that be sufficient to deploy them.
That's a very good idea!
I've also added a hint about uploading to GCS for M-Lab deployments.
This change adds a new utility for creating a private ca for the boot server and rotating the epoxy server certificates.
The logic in this PR is identical to that used to originally generate the current epoxy private ca server certificates, with minor changes for style and lint warnings. Taken directly from https://github.com/stephen-soltesz/epoxy/blob/master/src/epoxy/cmd/epoxycerts/main.go
This change is