Domaniewska 39, 02-672 Warsaw, Poland
office@makit.pl
Get Consulting
phone img
Send e-mailoffice@makit.pl

Linkerd – How to replacing certificate?

In this article we explain, how to replacing certificate (Linkerd).

Replacing only the issuer certificate (Linkerd)

It might be the case that your issuer certificate is expired. If this it true running linkerd check --proxy will produce output similar to:

1
2
3
4
5
6
7
8
9
10
11
linkerd-identity
----------------
√ certificate config is valid
√ trust roots are using supported crypto algorithm
√ trust roots are within their validity period
√ trust roots are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
× issuer cert is within its validity period
    issuer certificate is not valid anymore. Expired on 2019-12-19T09:21:08Z
    see https://linkerd.io/checks/#l5d-identity-issuer-cert-is-time-valid for hints
In this situation, if you have installed Linkerd with a manually supplied trust root and you have its key, you can follow the instructions to rotate your identity issuer certificate to update your expired certificate.

 

First you have to install step

!!! Not use apt install step because this is other software not from smallstep !!!

You can download step from https://smallstep.com/docs/step-cli/installation.

1
2
wget https://dl.step.sm/gh-release/cli/docs-cli-install/v0.21.0/step-cli_0.21.0_amd64.deb
sudo dpkg -i step-cli_0.21.0_amd64.deb

 

Generating the certificates with step

First generate the root certificate with its private key (using step version 0.10.1):

1
step certificate create root.linkerd.cluster.local ca.crt ca.key --profile root-ca --no-password --insecure

 

Issuer certificate and key

Then generate the intermediate certificate and key pair that will be used to sign the Linkerd proxies’ CSR.

1
2
3
step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
--profile intermediate-ca --not-after 8760h --no-password --insecure \
--ca ca.crt --ca-key ca.key

 

Linkerd upgrade certificate

You can follow Generating your own mTLS root certificates to create new root and issuer certificates. Then use the linkerd upgrade command:

1
linkerd upgrade --identity-issuer-certificate-file=.\issuer.crt --identity-issuer-key-file=.\issuer.key --identity-trust-anchors-file=.\ca.crt --force | kubectl apply -f -

 

Verify if linkerd upgrade correctly certificate

Usually upgrade will prevent you from using an issuer certificate that will not work with the roots your meshed pods are using. At that point we do not need this check as we are updating both the root and issuer certs at the same time. Therefore we use the –force flag to ignore this error.

Once this is done, you’ll need to explicitly restart the control plane so that everything in the control plane is configured to use the new trust anchor:

1
kubectl rollout restart -n linkerd deploy

 

Verification of the certificates upgrade

If you run linkerd check --proxy you should verify if everything working correctly.

About MAK IT

MAK IT Sp. z o.o. was established in 2018 as a special purpose organization of the MAK Group. From the beginning, our organization has focused on the development of IT systems to support comprehensive insurance programs for clients operating not only in Poland but also in Central and Eastern Europe. The company has a team of experienced architects and programmers who combine high technical skills with extensive knowledge of insurance and has experience of over 10 years of implementing large and complex IT systems for the insurance industry. Using our competencies and experience of the team, we want to offer you modern IT solutions. From the initial date of the establishment, we have increased our team from 5 to 30 people. Our goal is to reach 100 employees by the end of 2025. The main area of MAK IT’s activity is the development IT systems on the order and the implementation of the integrated, comprehensive solutions and their adaptation to the customers needs.