Add docs for linaro cloud cert renewal process

These docs had lived on the server in question in a text file as they
were sort of cobbled together from emails. Since then multiple renewals
have been successfully performed so we may as well add the process to
our actual documentation.

Change-Id: I13267ad08c1e4ef6007e5cbea040c274ea2f27d5

doc/source/letsencrypt.rst

@@ -151,3 +151,50 @@ the next Ansible pulse to renew.
    # tail -f /var/log/acme.sh/acme.sh.log
    ... watch and should be renewed on next pulse
    # rm *.conf.old
+
+Linaro ARM64 Cloud Cert Renewal
+===============================
+
+The Linaro ARM64 cloud relies on Let's Encrypt certs for API endpoints,
+but these certs are not automatically provisioned. The reason for this
+is that cloud is not completely enrolled into our Ansible automation
+(we share management of this install with Linaro and full integration
+has not be done). We can manually refresh the SSL certs in this cloud
+though.
+
+To access the cloud backend ssh via bridge as root to
+``openinfraci.linaro.cloud``.
+
+First we provision a new certificate using acme.sh on the cloud node:
+
+.. code-block:: console
+
+  /root/acme.sh/acme.sh --server letsencrypt --issue \
+    --dns dns_aws -d openinfraci.linaro.cloud
+
+Next backup the old cert:
+
+.. code-block:: console
+
+  cp /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem \
+    /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem.$DATE
+
+Copy the new cert into the kolla-ansible secrets:
+
+.. code-block:: console
+
+  cat /root/.acme.sh/openinfraci.linaro.cloud/openinfraci.linaro.cloud.key \
+    /root/.acme.sh/openinfraci.linaro.cloud/fullchain.cer \
+    > /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem
+
+Activate the kolla-ansible virtualenv to run ansible:
+
+.. code-block:: console
+
+  source /root/venv3/bin/activate
+
+Run kolla-ansible to deploy the cert:
+
+.. code-block:: console
+
+  /root/venv3/bin/kolla-ansible -i ~/all-in-one deploy