We are running a schema registry server instance with ssl turned ON. The certificates have a defined lifetime. And we have a renewed certificate with extended durations and would like to update it to the running schema registry server. there seems to be no script like dynamic configs in kafka to update configs in runtime without restarting the server.
Is there any other work arounds or scripts which we are not aware of or restarting the server with the renewed certificates is the only way to update the certificates ?
Related
I am trying to lunch new servers automatically when needed but I am having some difficulty getting the certificate before making the server live. What I want to do is run a setup script which gets all the packages, websites and certificates ready and after that add the server to production. However, Letsencrypt wants me to verify that the server requesting the certificate is actually the website which replies to requests. How can I get the Letsencrypt certificate before adding the server to production? I don't want requests to the real website to be routed to the new server until it is fully setup and has the certificates.
One solution I thought of is to save the certificates on an AWS S3 bucket and synchronize them whenever a renewal is needed. Then when I setup a new server I just get the latest certificate from my AWS S3 bucket and I don't have to worry about getting the certificate from the CA until after the server is added to production.But this solution doesn't seem "clean" and would require me to have an S3 bucket just for my Letsencrypt certificate which also adds another weakness where a certificate could be stolen from.
Is there a more simple solution which I haven't thought of yet?
In a load-balanced (LB) scenario, you should consider having exactly one entity responsible for performing LE certificate acquisition. Things get complicated with multiple entities doing this asynchronously - you'd need to be able to guarantee that the ACME challenges get routed to the relevant server(s), and your LB doesn't have that information (without additional complexity).
So I'd suggest either:
Terminating HTTPS at your load-balancer. Then none of your servers need to care about HTTPS or certificates.
Having one "special" server that's responsible for interacting with LE, and then distributing the cert to the other servers. The details of how you do that is implementation-dependent, because it depends on how you're managing server/service configuration.
I have a client site set up on AWS with multiple servers running HTPPS behind an Elastic Load Balancer. At some point, someone from the client's team attempted to update the SSL Cert by installing a new one directly on one of the servers (instead of in the ELB).
I was able to upload a new cert to the ELB, but when traffic is directed towards the server with the improperly installed cert, it triggers a security warning.
No one can seem to answer who attempted this install, how they went about, or where they installed it.
What's the best way to go about finding and removing it?
Thanks,
ty
If it's installed on the server, it has very little to do with AWS. I see you tagged the question with apache so I assume the server is running Apache Web Server. You will have to connect into that server and remove the SSL settings from the Apache Web Server configuration, just like you would with an Apache Web Server install anywhere else.
I setted up let's encrypt on a virtual machine. A dyndns domain points to this vm and it works all great. I can access the site by calling the dyndns domain and use ssl.
I have no experience with setting up ssl at all. Do I need to backup something? What if the vm is getting lost and I will setup a new vm and a new let's encrypt ssl certificate, which should work identically. Can I just rerun the let's encrypt wizard on the vm and get a new certificate or will I end up in an error, like their has been already a certificate been published and I need to restore the old certificate?
Yes, you can rerun the letsencrypt wizard and it will give you your certificate again, for as long as you control the domain. Remember that there are rate limits though and you can't just request over and over again.
I've setup and been managing a Puppet (enterprise 2016.1) instance with over 50 nodes. PE console uses self-signed certificate (https://<fully-qualified-domain-name>/) which is starting to get flagged down by the security audits and forcing me to update the cert. I'm trying to overwrite the self-signed certificate with a CA cert and also do a DNS binding so the URL is more user-friendly. I tried to follow Puppet article here (https://docs.puppet.com/pe/latest/custom_console_cert.html) but it broke my environment and made the console inaccessible. It's since been recovered using Azure backup.
If anybody ever carried out this activity, please would you let me know how I can go about it? Thanks.
Really hope this hasn't been asked before, but here goes.
I am installing and configuring a server to use as a webhost for all their projects. I am also installing and configuring an additional identical server for redundancy (replicated via rsync and mysql replication). What I'd like to know is, can I configure the same SSL EV certificate on both servers or do I need separate ones for each server?
It's a basic LAMP server if that is relevant.
It is possible to use the same certificate on all hosts which need it.