Does openziti renew every certificate so that I don't ever have to think about it again?
I think the last cert that needs to have automatic rotation enabled is the controller's server certificate. There are plans to automate this process but I'm unsure when it will be enabled. One alternative is to generate the server cert and allow it to last for a long time. By default, OpenZiti will create a server certificate that is valid for ~one year. You could choose to make that 10 or 20 if you like.
If you used a docker container to deploy the controller (from the deployments section of the doc), it's currently configured to renew the cert on restart in an effort to make the renewal a tad easier on the network operator.
If that's the only thing that should be updated manually, then I can do it manually by scheduling it on my task management system.
There seems to be a distinction between controller cert and controller server cert. What is the difference?
Are you referring to the identity block at the top of a config file? Looking something like this?
identity:
cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-intermediate/certs/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-client.chain.pem"
server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-intermediate/certs/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-server.chain.pem"
key: "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-intermediate/keys/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-server.key"
ca: "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/cas.pem"
alt_server_certs:
- server_cert: "/etc/letsencrypt/live/cdaws.clint.demo.openziti.org/fullchain.pem"
server_key: "/etc/letsencrypt/live/cdaws.clint.demo.openziti.org/privkey.pem"
If that's what you're referring to, then the cert entry represents the cert the OpenZiti component (I say component, because routers will also have this identity block) will use when initiating a connection to another piece of the OpenZiti overlay. If you only have one controller, this entry will never* be used (* i mean never say 'never' right?) because the controller doesn't connect to anything, everything connects to it, so the cert field would be unused.
If that's not what you mean, I generally try to clarify the differences. So if I slipped up and said just "controller cert" somewhwere, that's just me being lazy/forgetful.
hth
1 Like
Yes. Why do you need two different certs for incoming connections and outgoing connections?
Does the documentation say which certs are automatically renewed?
Technically, you don't. You can certainly set them to the same cert if you want. I don't believe the doc has any mention of which certs are renewed automatically but it should. We are planning an overhaul of the doc in the coming months, I'll add a task for that as well since it's a vital component of the overlay.
In the meantime, the algolia-provided search is pretty useful if the search term used matches our doc. I only mention it because it's easy for people to miss but it's really useful (lots of people don't see the search box up on the top right). I did a quick scan for 'renew' to see if the search would find any related doc and this is already out there. It's in a section that's more reactionary, than informational, but that's what we have, hopefully it's helpful. I'll add a task to add a bit more about cert lifecycles...
EDIT:
1 Like
So, does this mean that if I have only one controller, I need to renew only these on controller?
web:
- name: client-management
bindPoints:
- interface: 0.0.0.0:443
address: oz1.xxxxxx.com:443
identity:
ca: "pki/root/certs/root.cert"
key: "pki/intermediate/keys/server.key"
server_cert: "pki/intermediate/certs/server.chain.pem"
cert: "pki/intermediate/certs/client.chain.pem"
Do have any script to renew those?
Hi @timnis, the link above shows you how to renew them. Yes, if you only have one controller you only *need to renew the server_sert. However, I'd do them both just in case. It's only a couple of commands. I do recommend - back up the PKI and controller configurations etc before modifying something...
If you are using a docker 'deployment' (ie, not a quickstart) you just need to restart the docker container. It's currently set to renew certs on restart of the process regardless.
Thanks @TheLumberjack.
Maybe I need to change my controller to docker 'deployment' 
And no need change certificates to routers 