Merge "Add docs for linaro cloud cert renewal process"

doc/source/letsencrypt.rst

@@ -151,3 +151,50 @@ the next Ansible pulse to renew.
    # tail -f /var/log/acme.sh/acme.sh.log
    ... watch and should be renewed on next pulse
    # rm *.conf.old
+
+Linaro ARM64 Cloud Cert Renewal
+===============================
+
+The Linaro ARM64 cloud relies on Let's Encrypt certs for API endpoints,
+but these certs are not automatically provisioned. The reason for this
+is that cloud is not completely enrolled into our Ansible automation
+(we share management of this install with Linaro and full integration
+has not be done). We can manually refresh the SSL certs in this cloud
+though.
+
+To access the cloud backend ssh via bridge as root to
+``openinfraci.linaro.cloud``.
+
+First we provision a new certificate using acme.sh on the cloud node:
+
+.. code-block:: console
+
+  /root/acme.sh/acme.sh --server letsencrypt --issue \
+    --dns dns_aws -d openinfraci.linaro.cloud
+
+Next backup the old cert:
+
+.. code-block:: console
+
+  cp /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem \
+    /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem.$DATE
+
+Copy the new cert into the kolla-ansible secrets:
+
+.. code-block:: console
+
+  cat /root/.acme.sh/openinfraci.linaro.cloud/openinfraci.linaro.cloud.key \
+    /root/.acme.sh/openinfraci.linaro.cloud/fullchain.cer \
+    > /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem
+
+Activate the kolla-ansible virtualenv to run ansible:
+
+.. code-block:: console
+
+  source /root/venv3/bin/activate
+
+Run kolla-ansible to deploy the cert:
+
+.. code-block:: console
+
+  /root/venv3/bin/kolla-ansible -i ~/all-in-one deploy