How to Renew Consul Root CA Certificate

The Consul root CA is generated using the consul tls ca create command. If created with the original options the root CA is only valid for a few years. After running production for a while you inevitably need to extend this certificate. To do so we need to generate and sign a new certificate using the existing private key. Consul does not provide any commands for doing so but it can be done using OpenSSL. ...

February 3, 2021 · 2 min · dschaaff

Lets Encrypt Bug Requires Reissue of Certificates by Cert-Manager in Kubernetes

I received a fun email from Lets Encrypt today letting me know that they were revoking all of my certificates on March 4. The bug is described here. All of my certificates are managed by cert-manager inside Kubernetes. This led to the fun challenge of figuring out how to force a reissue of every certificate. There were 2 approaches that came up in the Kubernetes community slack. Delete all secrets containing cert-manager issued certificates. ...

March 3, 2020 · 1 min · dschaaff

In Praise of the Bat Commandline Tool

I’ve been working on helm charts a lot lately. For better or worse that has involved running helm install —debug —dry-run… a lot to ensure things render correctly. It is much easier to parse that output when there is syntax highlighting. Enter [bat](GitHub - sharkdp/bat: A cat(1) clone with wings.). I can helm install —debug —dry-run… | bat -l yaml to get full syntax highlighting. It’s a small thing but it makes a big difference. ...

July 1, 2019 · 1 min · dschaaff