Skip to content

Cloud Foundry BOSH SSL Rotation

cloudfoundry/bosh

Cloud Foundry BOSH

cloudfoundry/bosh

About
About
Installation
Installation
Guides
Guides
- Deploying Software
  Deploying Software
  - Core Concepts
    Core Concepts
    
    Updating Cloud Config
    
    Building a Manifest
    
    Uploading Stemcells
    
    Uploading Releases
    
    Deploying
  - Using Persistent Disks
    Using Persistent Disks
    
    Persistent Disks
    
    Taking Snapshots
    
    Using XFS
  - Using Links
    Using Links
    
    Links
    
    Manually Configuring Links
  - Running Errands
  - VM Update Strategy
  - VM Anti-Affinity
  - Credentials on tmpfs
  - Locking compiled releases
  - Troubleshooting
    Troubleshooting
    
    Failing VMs
    
    Monitoring
    
    Process Monitoring with Monit
    
    IaaS Reconciliation
    
    Deployment Recovery
  - Migrating
    Migrating
    
    To Availability Zones
    
    From the Ruby CLI
- Packaging Software
  Packaging Software
  - Core Concepts
    Core Concepts
    
    Creating a Release
  - Using Links
    Using Links
    
    Sharing Properties
  - Configuring the Blobstore
    Configuring the Blobstore
    
    Release Blobstore
    
    Using S3 & IAM Policies
  - Working with Blobs
  - Testing
    Testing
    
    Unit Testing Job Templates
  - Migrating Packages to Jammy Jellyfish
  - Scheduled Processes
  - Creating Compiled Releases
  - Using Errands
  - Configuring Processes
    Configuring Processes
    
    Recommended Property Types
  - Packaging and Compiling
    Packaging and Compiling
    
    Creating Packages
    
    Reusing Packages
  - Windows Compatibility
    Windows Compatibility
    
    Overview
    
    Creating a Windows Stemcell for vSphere
    
    Sample Release
  - Using BPM
    Using BPM
    
    Overview
    
    Configuration
    
    Runtime
    
    Migrating to BPM
    
    Undefined Behaviors
- Operating Director
  Operating Director
  - Monitoring
    Monitoring
    
    Prometheus Metrics
    
    Auditing Events
    
    Reviewing Tasks
    
    Logging API Access
  - Securing
    Securing
    
    Using Basic Users
    
    Integrating with UAA
    Integrating with UAA
    
    Configuring Director
    
    Managing Permissions with UAA Scopes
    
    Using BOSH Teams
    
    Configuring SSL Certificates
    
    Director SSL Certificate Configuration with OpenSSL
    
    Rotating Credentials
    Rotating Credentials
    
    Credentials
    
    NATS
    NATS
    
    CA Rotation
    
    Blobstore
    Blobstore
    
    CA Rotation
    
    Agent Password Rotation
    
    Bootstrap mbus
    Bootstrap mbus
    
    SSL Rotation SSL Rotation
    Table of contents
    
    Preconditions
    
    Step 1: Remove mbus SSL from creds.yml
    
    Step 2: Redeploy the Director with a new mbus SSL certificate
    
    CredHub
    CredHub
    
    Encryption Password Rotation
    
    Signed URLs
  - Configuring the Database
    Configuring the Database
    
    Builtin PostgreSQL
    
    External MySQL
  - Configuring the Blobstore
    Configuring the Blobstore
    
    Builtin DAV Server
    
    Amazon S3
    
    Google Cloud Storage
  - Managing Releases
  - Managing Stemcells
  - Auto-healing Capabilities
  - Using Health Monitor
  - Using Runtime Config
    Using Runtime Config
    
    Overview
    
    Common Addons
  - Using Deploy Config
  - Integrating with CredHub
    Integrating with CredHub
    
    Variable Types
  - Tasks Cleanup
  - Optional Features
    Optional Features
    
    Explicit ARP Flushing
    
    Removing Dev Tools from VMs
    
    Installing Certificates on VMs
  - Troubleshooting
- Using the CLI
  Using the CLI
  - Commands
  - Global Flags
  - Environments
  - Tunneling
  - Composing YAML
    Composing YAML
    
    Interpolating Variables
    
    Creating Ops Files
- Advanced Networking
  Advanced Networking
  - Multi-Cloud Support
    Multi-Cloud Support
    
    Using CPI Config
    
    Using AWS
  - Using IPv6 on vSphere
- Advanced Bootstrapping
  Advanced Bootstrapping
  - Using a Public IP
  - Enabling SSH Access
- In-depth Topics
  In-depth Topics
  - Native DNS Support
  - Components of BOSH
  - Deploying Step by Step
  - Agent Interactions
  - Configuring NTP
  - Disaster Recovery in Case of AZ Outage
  - Virtual Machines
    Virtual Machines
    
    Structure of a VM
    
    Filesystem Locations
    
    Using Logs
    
    Instance Metadata
- Development
  Development
Reference
Reference
- Terminology
- Deployment Config
- Cpi Config
- Director Cloud Config
  Director Cloud Config
- Director APIs
  Director APIs
  - Director HTTP API
  - Links API
- Director Runtime Config
- Generic Configs
- Cloud Provider Interface
  Cloud Provider Interface
  - Version 2
    Version 2
    
    Overview
    
    Methods
    Methods
    
    attach_disk
    
    calculate_vm_cloud_properties
    
    create_disk
    
    create_stemcell
    
    create_network
    
    create_vm
    
    delete_disk
    
    delete_snapshot
    
    delete_stemcell
    
    delete_network
    
    delete_vm
    
    detach_disk
    
    get_disks
    
    has_disk
    
    has_vm
    
    info
    
    reboot_vm
    
    resize_disk
    
    update_disk
    
    set_disk_metadata
    
    set_vm_metadata
    
    snapshot_disk
  - Version 1
    Version 1
    
    Overview
    
    Migrating to version 2
    
    Methods
    Methods
    
    attach_disk
    
    configure_networks
    
    create_vm
    
    current_vm_id
    
    delete_vm
    
    detach_disk
    
    info
  - RPC Interface
- Release Management
  Release Management
  - Overview
  - Release URLs
  - Jobs
    Jobs
    
    Usage
    
    Update Lifecycle
    
    Lifecycle Hooks
    Lifecycle Hooks
    
    Drain
    
    Pre-start
    
    Post-start
    
    Post-deploy
    
    Pre-stop
    
    Post-stop
  - Links
    Links
    
    Common Types
  - Deployment Convergence
- Operating Systems
  Operating Systems
- CLI reference
  CLI reference
  - Commands
  - Global Flags
  - Environments
  - Tunneling
  - Composing YAML
    Composing YAML
    
    Interpolating Variables
    
    Creating Ops Files
- Legacy Documentation
  Legacy Documentation
- Cloud Providers
- Alibaba Cloud
  Alibaba Cloud
  - Usage
  - Common Errors
- Amazon Web Services
  Amazon Web Services
- Google Cloud Platform
  Google Cloud Platform
- Microsoft Azure
  Microsoft Azure
- OpenStack
  OpenStack
- RackHD
  RackHD
  - Usage
- SoftLayer
  SoftLayer
  - Usage
- VirtualBox
  VirtualBox
  - Usage
- VMware vCloud
  VMware vCloud
  - Usage
- VMware vSphere
  VMware vSphere
- Warden
  Warden
  - Usage
Stemcells
Releases



Rotating mbus SSL¶

Bootstrap SSL certificate needs to be removed from the creds.yml and re-created later with create-env. Since the signing CA is the Director's default CA and remains unchanged, no updates are required on the CLI side.

Preconditions¶

Director is in a healthy state and there are no new deployments in progress.
These instructions must be adapted if used with ops files overwriting the variables used in this procedure (i.e. bosh-lite).

Step 1: Remove mbus SSL from `creds.yml`¶

bosh interpolate ./creds.yml \
 -o remove-mbus-ssl.yml > creds_new.yml

mv creds_new.yml creds.yml

Ops file remove-mbus-ssl.yml

---
- type: remove
  path: /mbus_bootstrap_ssl?

This will remove the mbus_bootstrap_ssl from the creds.yml, causing the next create-env to create a new one.

Step 2: Redeploy the Director with a new mbus SSL certificate¶

bosh create-env ~/workspace/bosh-deployment/bosh.yml \
 --state ./state.json \
 -o ~/workspace/bosh-deployment/[IAAS]/cpi.yml \
 -o ... additional ops files \
 --vars-store ./creds.yml \
 -v ... additional vars

This adds a new mbus SSL certificate to creds.yml.