Date
1 - 2 of 2
Can't renew bosh-director certificate
Jan-Henrik Christophersen <jan@...>
Hello all,
we failed to renew our director and mbus certificate before they expired and wanted to do that now by using the create-env command. I removed the "director_ssl" and "mbus_bootstrap_ssl" sections and used bosh int with the --vars-store flag to regenerate them. I've manually checked that the certificates are valid for another year.
To deploy this change, I ran the bosh create-env command but I am now running into this issue:
Command:
```
Output:
we failed to renew our director and mbus certificate before they expired and wanted to do that now by using the create-env command. I removed the "director_ssl" and "mbus_bootstrap_ssl" sections and used bosh int with the --vars-store flag to regenerate them. I've manually checked that the certificates are valid for another year.
To deploy this change, I ran the bosh create-env command but I am now running into this issue:
Command:
```
bosh create-env bosh-director/bosh.yml
--state=xxx/state.json
--vars-store=xxx/credentials.yml
-o bosh-director/cpi.yml
-v access_key_id=xxxxxxx
-v secret_access_key=xxxxxxx
-v director_name=bosh-director
-v director_instance_profile=xxx
-v internal_cidr=10.118.132.0/24
-v internal_dns=10.118.128.2
-v internal_gw=10.118.132.1
-v internal_ip=10.118.132.9
-v subnet_id=subnet-04a2xxx
-v region=eu-central-1
-v az=eu-central-1a
-v default_key_name=bosh
-v default_security_groups=sg-e88axxx
-v concourse_security_group=sg-679xxx
-v concourse_elb=elb
--ca-cert (interpolated ca cert) # tried with and without this parameter
--var-file private_key=xxxxxxx.pem
```
```
Output:
```
Started validating
Downloading release 'bosh'... Skipped [Found in local cache] (00:00:00)
Validating release 'bosh'... Finished (00:00:00)
Downloading release 'bosh-aws-cpi'... Skipped [Found in local cache] (00:00:00)
Validating release 'bosh-aws-cpi'... Finished (00:00:00)
Validating cpi release... Finished (00:00:00)
Validating deployment manifest... Finished (00:00:00)
Downloading stemcell... Skipped [Found in local cache] (00:00:00)
Validating stemcell... Finished (00:00:00)
Finished validating (00:00:00)
Started installing CPI
Compiling package 'ruby_aws_cpi/c6ba8a1e1b53b94ee9caf13d2d749c40cecfa038'... Finished (00:00:00)
Compiling package 'bosh_aws_cpi/137cfc70652337ff1d3fca795e6d9ddd6e7e68dd'... Finished (00:00:00)
Installing packages... Finished (00:00:01)
Rendering job templates... Finished (00:00:00)
Installing job 'aws_cpi'... Finished (00:00:00)
Finished installing CPI (00:00:02)
Starting registry... Finished (00:00:00)
Uploading stemcell 'bosh-aws-xen-hvm-ubuntu-trusty-go_agent/3421.9'... Skipped [Stemcell already uploaded] (00:00:00)
Started deploying
Waiting for the agent on VM 'i-099931a2d9xxxxx'... Failed (00:00:00)
Deleting VM 'i-099931a2d9xxxxx'... Finished (00:00:41)
Creating VM for instance 'bosh/0' from stemcell 'ami-f7349398 light'... Finished (00:00:38)
Waiting for the agent on VM 'i-07711bc8a06xxxxx' to be ready...
channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused
...
Failed (00:00:34)
Failed deploying (00:02:05)
Stopping registry... Finished (00:00:00)
Cleaning up rendered CPI jobs... Finished (00:00:00)
Deploying:
Creating instance 'bosh/0':
Waiting until instance is ready:
Post https://mbus:<redacted>@10.118.132.9:6868/agent: x509: certificate has expired or is not yet valid
```
bosh-director/bosh.yml
```
Can anyone point out what I am doing wrong here? I only have limited experience with bosh and didn't have to regenerate certificates before. The person who originally deployed this is also not around.
Thanks,
Jan
```
bosh-director/bosh.yml
```
---
name: bosh
releases:
- name: bosh
version: "262.3"
url: https://s3.amazonaws.com/bosh-compiled-release-tarballs/bosh-262.3-ubuntu-trusty-3421.9-20170706-183731-831697577-20170706183736.tgz?versionId=7GmwKfufgb5JwWhJ.cwIWLnejOtm2Hu4
sha1: 1eae3f06282417e54ebb199656458f9d6c38e2af
resource_pools:
- name: vms
network: default
env:
bosh:
password: '*'
mbus:
cert: ((mbus_bootstrap_ssl))
disk_pools:
- name: disks
disk_size: 32_768
networks:
- name: default
type: manual
subnets:
- range: ((internal_cidr))
gateway: ((internal_gw))
static: [((internal_ip))]
dns: [((internal_dns))]
instance_groups:
- name: bosh
instances: 1
jobs:
- {name: nats, release: bosh}
- {name: postgres-9.4, release: bosh}
- {name: blobstore, release: bosh}
- {name: director, release: bosh}
- {name: health_monitor, release: bosh}
resource_pool: vms
persistent_disk_pool: disks
networks:
- name: default
static_ips: [((internal_ip))]
properties:
nats:
address: 127.0.0.1
user: nats
password: ((nats_password))
postgres: &db
listen_address: 127.0.0.1
host: 127.0.0.1
user: postgres
password: ((postgres_password))
database: bosh
adapter: postgres
blobstore:
address: ((internal_ip))
port: 25250
provider: dav
director:
user: director
password: ((blobstore_director_password))
agent:
user: agent
password: ((blobstore_agent_password))
director:
address: 127.0.0.1
name: ((director_name))
db: *db
flush_arp: true
enable_post_deploy: true
generate_vm_passwords: true
enable_dedicated_status_worker: true
enable_nats_delivered_templates: true
workers: 4
events:
record_events: true
ssl:
key: ((director_ssl.private_key))
cert: ((director_ssl.certificate))
user_management:
provider: local
local:
users:
- name: admin
password: ((admin_password))
- name: hm
password: ((hm_password))
hm:
director_account:
user: hm
password: ((hm_password))
ca_cert: ((director_ssl.ca))
resurrector_enabled: true
ntp: &ntp
- time1.google.com
- time2.google.com
- time3.google.com
- time4.google.com
agent:
mbus: nats://nats:((nats_password))@((internal_ip)):4222
cloud_provider:
mbus: https://mbus:((mbus_bootstrap_password))@((internal_ip)):6868
cert: ((mbus_bootstrap_ssl))
properties:
agent: {mbus: "https://mbus:((mbus_bootstrap_password))@0.0.0.0:6868"}
blobstore: {provider: local, path: /var/vcap/micro_bosh/data/cache}
ntp: *ntp
variables:
- name: admin_password
type: password
- name: blobstore_director_password
type: password
- name: blobstore_agent_password
type: password
- name: hm_password
type: password
- name: mbus_bootstrap_password
type: password
- name: nats_password
type: password
- name: postgres_password
type: password
- name: default_ca
type: certificate
options:
is_ca: true
common_name: ca
- name: mbus_bootstrap_ssl
type: certificate
options:
ca: default_ca
common_name: ((internal_ip))
alternative_names: [((internal_ip))]
- name: director_ssl
type: certificate
options:
ca: default_ca
common_name: ((internal_ip))
alternative_names: [((internal_ip))]
```
```
Can anyone point out what I am doing wrong here? I only have limited experience with bosh and didn't have to regenerate certificates before. The person who originally deployed this is also not around.
Thanks,
Jan