Renewal of Lets Encrypt certificates, applicable when no auto renewals such as certbot / certmanager are being used.

Instructions

Exec into running nginx pod and execute,
- acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $DOMAIN && renew=1
Once command is successful, check for new certs,
- ls -lrt /etc/ssl/acme/$DOMAIN
Reload nginx to pick up new certs and verify if domain reflects right certificates,
- nginx -s reload
Copy certs from pod
1. kubectl cp nginx-2087212062-c67lk:/etc/ssl/acme/egov-micro-qa.egovernments.org/ ./certs-egov-micro-qa
ssh to bastion node using the key file and ssh to minion nodes with admin user one-by-one
1. ssh -i <KEY>.pem admin@<BASTION-IP> this is not accessible outside the egovernment network. Or need to whitelist the ip.
2. scp to writable directory on the minion
3. ssh to minion and sudo cp to /srv/acme/egov-micro-qa.egovernments.org directory
Restart nginx pod to test to make sure everything is running ok

The entire process has been automated on the playground, use only for legacy deployments.

Related articles