New CA or renew existing CA; what can I do?

Question

New CA or renew existing CA; what can I do?

RiemaruKarurosu opened this issue 7 months ago · comments

Riemaru Karurosu commented 7 months ago

What version of `nebula` are you using?

1.7.2

What operating system are you using?

Linux and Windows

Describe the Bug

My CA expires the next month, I have almost 100 hosts that depend of this service.
What do I have to do to? create a new CA or renew the CA (in some way that I don't know)
All my hosts will disconnect and stop working when the CA expires the next month or they could work after a certain period?
Hope you can help me withs issue.
Thanks

Logs from affected hosts

No response

Config files from affected hosts

No response

John Maguire · Answer 1 · Thu Oct 19 2023 21:41:33 GMT+0800 (China Standard Time)

Hi @RiemaruKarurosu -

As Benjamin and Brad mentioned on Slack:

Generate a new Certificate Authority, add it to the trust bundle of all your hosts and send a SIGHUP to each host in order to reload its config.
Issue certs for each host using the new CA. Update the pki.cert and pki.key on each host with the new cert info, and send another SIGHUP.
Finally, once all hosts have been moved to the new CA, remove the original CA from the trust bundle, and send a final SIGHUP.

New CA or renew existing CA; what can I do?

What version of nebula are you using?

What operating system are you using?

Describe the Bug

Logs from affected hosts

Config files from affected hosts

What version of `nebula` are you using?