LoginSignup
1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@c_u(C U)inIBM

PowerVC 2.3 新機能 証明書更新コマンドの確認

Last updated at Posted at 2025-05-10

はじめに

PowerVC のバージョン 2.3.0 から内部で使用されている証明書を更新するコマンドが用意されたので動きを確認しました。


以前のバージョンは下記で powervc サービス用の証明書更新を確認しています。

(以前のバージョンの証明書更新には正しく更新できるまで試行錯誤でした..)

環境

PowerVC 2.3 (RHEL 9.4 ppc64le)
クラスター名 : pvc23

対象の証明書と期限の確認

"powervc-opsmgr config certs --check-expiry -c pvc23" コマンドを使用して期限をチェックします。

-c はクラスター名を指定しています。

# powervc-opsmgr config certs --check-expiry -c pvc23
+----------------------------------+--------------------------+
| Certificate Path                 | Expiration Date          |
+==================================+==========================+
| /etc/pki/tls/certs/powervc.crt   | Jan 29 07:02:29 2028 GMT |
+----------------------------------+--------------------------+
| /etc/pki/messages/ca/cacert.pem  | Jul 14 07:07:41 2027 GMT |
+----------------------------------+--------------------------+
| /etc/pki/novnc/ca/cacert.pem     | Jul 14 07:23:29 2027 GMT |
+----------------------------------+--------------------------+
| /etc/pki/zookeeper/ca/cacert.pem | Jul 14 07:09:00 2027 GMT |
+----------------------------------+--------------------------+
| /etc/pki/db/ca/cacert.pem        | Apr  9 07:39:47 2028 GMT |
+----------------------------------+--------------------------+

証明書期限は全て同じでないようです。

コマンドで証明書更新

試しに zookeeper 証明書を更新します。

"powervc-opsmgr config certs -c pvc23 --type zookeeper" を実行します。

--type オプションは更新対象の証明書の種類を指定します(例: rabbit, zookeeper, powervc, novnc, db)。


実行ログ (長いので折りたたんでいます) 
# powervc-opsmgr config certs -c pvc23 --type zookeeper
Please restart the zookeeper service once the renewal of cert is done using powervc-services command

PLAY [{{ playbook_task_names.powervc_update_operation }}] **********************
Saturday 10 May 2025  08:32:23 -0400 (0:00:00.074)       0:00:00.074 **********

TASK [Gathering Facts] *********************************************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:25 -0400 (0:00:01.552)       0:00:01.626 **********
changed: [xxx.xx.xxx.xx]

TASK [command] *****************************************************************
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:25 -0400 (0:00:00.388)       0:00:02.015 **********

TASK [include_vars] ************************************************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:25 -0400 (0:00:00.016)       0:00:02.031 **********

TASK [include_vars] ************************************************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:25 -0400 (0:00:00.018)       0:00:02.050 **********

TASK [{{ pvc_utils_task_names.store_locale_variable }}] ************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:25 -0400 (0:00:00.019)       0:00:02.070 **********

TASK [include_vars] ************************************************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:25 -0400 (0:00:00.028)       0:00:02.098 **********
Saturday 10 May 2025  08:32:25 -0400 (0:00:00.021)       0:00:02.119 **********

TASK [include_vars] ************************************************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:25 -0400 (0:00:00.025)       0:00:02.144 **********

TASK [include_vars] ************************************************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:25 -0400 (0:00:00.019)       0:00:02.164 **********

TASK [pvc_main : include_vars] *************************************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:25 -0400 (0:00:00.033)       0:00:02.197 **********

TASK [pvc_main : Acquire lock - Check for Lock file] ***************************
ok: [xxx.xx.xxx.xx -> 127.0.0.1]
Saturday 10 May 2025  08:32:25 -0400 (0:00:00.247)       0:00:02.444 **********

TASK [pvc_main : Configure lock facts based on file] ***************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:26 -0400 (0:00:00.018)       0:00:02.462 **********

TASK [pvc_main : Set fact for lock file based on all node] *********************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:26 -0400 (0:00:00.025)       0:00:02.488 **********
Saturday 10 May 2025  08:32:26 -0400 (0:00:00.013)       0:00:02.501 **********
Saturday 10 May 2025  08:32:26 -0400 (0:00:00.017)       0:00:02.518 **********

TASK [pvc_main : Acquire lock - Create PowerVC Lock file] **********************
ok: [xxx.xx.xxx.xx -> 127.0.0.1]
Saturday 10 May 2025  08:32:26 -0400 (0:00:00.254)       0:00:02.773 **********

TASK [pvc_main : Acquire lock - Create PowerVC Lock file] **********************
changed: [xxx.xx.xxx.xx -> 127.0.0.1]
Saturday 10 May 2025  08:32:26 -0400 (0:00:00.156)       0:00:02.930 **********

TASK [pvc_main : Create lock uuid file] ****************************************
changed: [xxx.xx.xxx.xx -> 127.0.0.1]
Saturday 10 May 2025  08:32:26 -0400 (0:00:00.160)       0:00:03.090 **********

TASK [pvc_main : stat] *********************************************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:26 -0400 (0:00:00.181)       0:00:03.272 **********
Saturday 10 May 2025  08:32:26 -0400 (0:00:00.014)       0:00:03.286 **********
Saturday 10 May 2025  08:32:26 -0400 (0:00:00.015)       0:00:03.301 **********
Saturday 10 May 2025  08:32:26 -0400 (0:00:00.015)       0:00:03.317 **********

TASK [pvc_main : setup] ********************************************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:27 -0400 (0:00:00.371)       0:00:03.688 **********
Saturday 10 May 2025  08:32:27 -0400 (0:00:00.019)       0:00:03.708 **********
Saturday 10 May 2025  08:32:27 -0400 (0:00:00.015)       0:00:03.723 **********

TASK [pvc_main : set_fact] *****************************************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:27 -0400 (0:00:00.026)       0:00:03.750 **********

TASK [pvc_main : stat] *********************************************************
ok: [xxx.xx.xxx.xx -> 127.0.0.1]
Saturday 10 May 2025  08:32:27 -0400 (0:00:00.157)       0:00:03.907 **********
Saturday 10 May 2025  08:32:27 -0400 (0:00:00.016)       0:00:03.923 **********
Saturday 10 May 2025  08:32:27 -0400 (0:00:00.015)       0:00:03.938 **********

TASK [pvc_main : set_fact] *****************************************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:27 -0400 (0:00:00.018)       0:00:03.957 **********
Saturday 10 May 2025  08:32:27 -0400 (0:00:00.014)       0:00:03.971 **********

TASK [{{ pvc_certs_task_names.get_permission_stats_for_etcpkizookeeper_and_etczookeepercerts }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:27 -0400 (0:00:00.186)       0:00:04.158 **********

TASK [{{ pvc_certs_task_names.bakcup_etcpkizookeeper }}] ***********************
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:27 -0400 (0:00:00.214)       0:00:04.373 **********

TASK [{{ pvc_certs_task_names.bakcup_etcpkizookeeper }}] ***********************
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:28 -0400 (0:00:00.184)       0:00:04.557 **********

TASK [{{ pvc_certs_task_names.get_zoo_passowrd }}] *****************************
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:28 -0400 (0:00:00.258)       0:00:04.816 **********

TASK [{{ pvc_certs_task_names.set_passowrd_fact }}] ****************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:28 -0400 (0:00:00.017)       0:00:04.833 **********
changed: [xxx.xx.xxx.xx]

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_zookeeper_base_pki_directory }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:28 -0400 (0:00:00.181)       0:00:05.014 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_zookeeper_ca_directory }}] ***
changed: [xxx.xx.xxx.xx] => (item=/etc/pki/zookeeper/ca/)
changed: [xxx.xx.xxx.xx] => (item=/etc/pki/zookeeper/ca/certs/)
Saturday 10 May 2025  08:32:28 -0400 (0:00:00.363)       0:00:05.378 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_zookeeper_ca_private_key_directory }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:29 -0400 (0:00:00.180)       0:00:05.559 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_zookeeper_ca_private_key }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:29 -0400 (0:00:00.168)       0:00:05.728 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_zookeeper_ca_private_key }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:30 -0400 (0:00:00.778)       0:00:06.506 **********
Saturday 10 May 2025  08:32:30 -0400 (0:00:00.029)       0:00:06.535 **********
Saturday 10 May 2025  08:32:30 -0400 (0:00:00.019)       0:00:06.554 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_for_zookeeper_serial_file }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:30 -0400 (0:00:00.166)       0:00:06.721 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_zookeeper_a_serial_file }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:30 -0400 (0:00:00.535)       0:00:07.256 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_zookeeper_index_file }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:31 -0400 (0:00:00.421)       0:00:07.678 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.copy_opensslconf_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:31 -0400 (0:00:00.434)       0:00:08.113 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_for_zookeeper_ca_certificate_file_exists }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:31 -0400 (0:00:00.179)       0:00:08.292 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.generate_the_certificate_authority_certificate_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:32 -0400 (0:00:00.199)       0:00:08.491 **********
Saturday 10 May 2025  08:32:32 -0400 (0:00:00.020)       0:00:08.512 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_zookeeper_base_pki_directory }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:32 -0400 (0:00:00.179)       0:00:08.691 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_zookeeper_client_private_key_exists }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:32 -0400 (0:00:00.171)       0:00:08.863 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_client_private_key_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:32 -0400 (0:00:00.507)       0:00:09.370 **********
Saturday 10 May 2025  08:32:32 -0400 (0:00:00.029)       0:00:09.400 **********
Saturday 10 May 2025  08:32:32 -0400 (0:00:00.019)       0:00:09.419 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_for_client_certificate_for_zookeeper }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:33 -0400 (0:00:00.170)       0:00:09.589 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.generate_client_certificate_signing_request_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:33 -0400 (0:00:00.186)       0:00:09.775 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.generate_signed_client_certificate_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:33 -0400 (0:00:00.198)       0:00:09.974 **********
Saturday 10 May 2025  08:32:33 -0400 (0:00:00.022)       0:00:09.997 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.remove_client_certificate_signing_request_file_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:33 -0400 (0:00:00.185)       0:00:10.182 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_server_certificate_directory_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:33 -0400 (0:00:00.185)       0:00:10.368 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_server_key_directory_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:34 -0400 (0:00:00.175)       0:00:10.544 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_server_privatekey_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:34 -0400 (0:00:00.453)       0:00:10.997 **********
Saturday 10 May 2025  08:32:34 -0400 (0:00:00.028)       0:00:11.026 **********
Saturday 10 May 2025  08:32:34 -0400 (0:00:00.019)       0:00:11.045 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_server_certificate_for_zookeeper }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:34 -0400 (0:00:00.168)       0:00:11.214 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.generate_server_certificate_signing_request_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:34 -0400 (0:00:00.185)       0:00:11.399 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.generate_signed_server_certificate_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:35 -0400 (0:00:00.197)       0:00:11.597 **********
Saturday 10 May 2025  08:32:35 -0400 (0:00:00.020)       0:00:11.617 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.remove_server_certificate_signing_request_file_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:35 -0400 (0:00:00.182)       0:00:11.799 **********
included: /opt/ibm/powervc-opsmgr/ansible/core/roles/pvc_certs/tasks/pvc_zookeeper_client_server_keystore.yml for xxx.xx.xxx.xx
Saturday 10 May 2025  08:32:35 -0400 (0:00:00.053)       0:00:11.853 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_zookeeper_etc_certs_directory }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:35 -0400 (0:00:00.186)       0:00:12.039 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_for_zookeeper_client_pkcs }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:35 -0400 (0:00:00.173)       0:00:12.213 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.export_client_certs_in_pkcs12_format_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:35 -0400 (0:00:00.199)       0:00:12.412 **********
Saturday 10 May 2025  08:32:35 -0400 (0:00:00.019)       0:00:12.431 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_zookeeper_client_jks }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:36 -0400 (0:00:00.182)       0:00:12.613 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.import_keystore_in_client_jks_cli_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:37 -0400 (0:00:01.009)       0:00:13.622 **********
Saturday 10 May 2025  08:32:37 -0400 (0:00:00.018)       0:00:13.641 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_for_zookeeper_server_pkcs }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:37 -0400 (0:00:00.177)       0:00:13.818 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.export_server_certs_in_pkcs12_format_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:37 -0400 (0:00:00.202)       0:00:14.021 **********
Saturday 10 May 2025  08:32:37 -0400 (0:00:00.019)       0:00:14.040 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_zookeeper_server_jks }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:37 -0400 (0:00:00.174)       0:00:14.215 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.import_keystore_in_server_jks_cli_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:38 -0400 (0:00:00.634)       0:00:14.850 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.import_keystore_server_cert_for_zookeeper }}] ***
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:39 -0400 (0:00:00.640)       0:00:15.491 **********
Saturday 10 May 2025  08:32:39 -0400 (0:00:00.019)       0:00:15.510 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_zookeeper_servertrust_jks_exists }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:39 -0400 (0:00:00.199)       0:00:15.709 **********
changed: [xxx.xx.xxx.xx] => (item={'alias': 'ca', 'file': '/etc/pki/zookeeper/ca/cacert.pem', 'jks': '/etc/zookeeper/certs/servertrust.jks'})

TASK [pvc_certs : {{ pvc_zookeeper_task_names.import_keystore_in_jks_servertrust_zookeeper }}] ***
changed: [xxx.xx.xxx.xx] => (item={'alias': 'ca', 'file': '/etc/pki/zookeeper/ca/cacert.pem', 'jks': '/etc/zookeeper/certs/servertrust.jks'})
changed: [xxx.xx.xxx.xx] => (item={'alias': 'servercert', 'file': '/etc/pki/zookeeper/server/cert.pem', 'jks': '/etc/zookeeper/certs/servertrust.jks'})
Saturday 10 May 2025  08:32:40 -0400 (0:00:01.255)       0:00:16.964 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_zookeeper_clienttrust_jks_exists }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:40 -0400 (0:00:00.169)       0:00:17.134 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.import_keystore_in_jks_clienttrust_zookeeper }}] ***
changed: [xxx.xx.xxx.xx] => (item={'alias': 'ca', 'file': '/etc/pki/zookeeper/ca/cacert.pem', 'jks': '/etc/zookeeper/certs/clienttrust.jks'})
changed: [xxx.xx.xxx.xx] => (item={'alias': 'clientcert', 'file': '/etc/pki/zookeeper/cert.pem', 'jks': '/etc/zookeeper/certs/clienttrust.jks'})
Saturday 10 May 2025  08:32:41 -0400 (0:00:01.195)       0:00:18.329 **********
Saturday 10 May 2025  08:32:41 -0400 (0:00:00.018)       0:00:18.348 **********
included: /opt/ibm/powervc-opsmgr/ansible/core/roles/pvc_certs/tasks/pvc_zookeeper_server_certificates.yml for xxx.xx.xxx.xx
Saturday 10 May 2025  08:32:41 -0400 (0:00:00.050)       0:00:18.399 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.create_certs_quoram_dir }}] ******
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:42 -0400 (0:00:00.193)       0:00:18.593 **********

TASK [pvc_certs : Get the short hostname] **************************************
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:42 -0400 (0:00:00.193)       0:00:18.786 **********

TASK [pvc_certs : Facts to set for ipaddress or hostname] **********************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:42 -0400 (0:00:00.023)       0:00:18.810 **********
ok: [xxx.xx.xxx.xx] => {
    "pvc_zk_short_hostname": "powervc230-test"
}

TASK [pvc_certs : debug] *******************************************************
ok: [xxx.xx.xxx.xx] => {
    "pvc_zk_short_hostname": "powervc230-test"
}
Saturday 10 May 2025  08:32:42 -0400 (0:00:00.016)       0:00:18.827 **********
ok: [xxx.xx.xxx.xx] => (item=xxx.xx.xxx.xx) => {
    "ansible_loop_var": "item",
    "hostvars[item]['ansible_hostname']": "powervc230-test",
    "item": "xxx.xx.xxx.xx"
}

TASK [pvc_certs : debug] *******************************************************
ok: [xxx.xx.xxx.xx] => (item=xxx.xx.xxx.xx) => {
    "ansible_loop_var": "item",
    "hostvars[item]['ansible_hostname']": "powervc230-test",
    "item": "xxx.xx.xxx.xx"
}
Saturday 10 May 2025  08:32:42 -0400 (0:00:00.027)       0:00:18.854 **********

TASK [pvc_certs : debug] *******************************************************
ok: [xxx.xx.xxx.xx] => (item=xxx.xx.xxx.xx) => {
    "ansible_loop_var": "item",
    "hostvars[item]['pvc_zk_short_hostname']": "powervc230-test",
    "item": "xxx.xx.xxx.xx"
}
Saturday 10 May 2025  08:32:42 -0400 (0:00:00.033)       0:00:18.887 **********

TASK [pvc_certs : {{ pvc_utils_task_names.facts_to_set_san }}] *****************
ok: [xxx.xx.xxx.xx] => (item=xxx.xx.xxx.xx)
Saturday 10 May 2025  08:32:42 -0400 (0:00:00.040)       0:00:18.928 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.check_if_zookeeper_truststore_exists }}] ***
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:42 -0400 (0:00:00.172)       0:00:19.101 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.genkeypair_keystore_zookeeper }}] ***
changed: [xxx.xx.xxx.xx] => (item=powervc230-test)
changed: [xxx.xx.xxx.xx] => (item=powervc230-test)
Saturday 10 May 2025  08:32:44 -0400 (0:00:01.543)       0:00:20.644 **********
changed: [xxx.xx.xxx.xx] => (item=powervc230-test)

TASK [pvc_certs : {{ pvc_zookeeper_task_names.export_certs_zookeeper }}] *******
changed: [xxx.xx.xxx.xx] => (item=powervc230-test)
changed: [xxx.xx.xxx.xx] => (item=powervc230-test)
Saturday 10 May 2025  08:32:45 -0400 (0:00:01.149)       0:00:21.794 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.import_certs_zookeeper_store }}] ***
changed: [xxx.xx.xxx.xx] => (item=powervc230-test)
changed: [xxx.xx.xxx.xx] => (item=powervc230-test)
Saturday 10 May 2025  08:32:46 -0400 (0:00:01.151)       0:00:22.945 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.change_file_permissions }}] ******
ok: [xxx.xx.xxx.xx] => (item=/etc/pki/zookeeper/cert.pem)
ok: [xxx.xx.xxx.xx] => (item=/etc/pki/zookeeper/ca/cacert.pem)
ok: [xxx.xx.xxx.xx] => (item=/etc/pki/zookeeper/ca/openssl.conf)
ok: [xxx.xx.xxx.xx] => (item=/etc/pki/zookeeper/ca/index.txt)
ok: [xxx.xx.xxx.xx] => (item=/etc/pki/zookeeper/ca/serial)
ok: [xxx.xx.xxx.xx] => (item=/etc/pki/zookeeper/ca/serial.old)
ok: [xxx.xx.xxx.xx] => (item=/etc/pki/zookeeper/server/cert.pem)
ok: [xxx.xx.xxx.xx] => (item=/etc/zookeeper/certs/servertrust.jks)
ok: [xxx.xx.xxx.xx] => (item=/etc/zookeeper/certs/client.jks)
ok: [xxx.xx.xxx.xx] => (item=/etc/zookeeper/certs/clienttrust.jks)
ok: [xxx.xx.xxx.xx] => (item=/etc/zookeeper/certs/server.jks)
Saturday 10 May 2025  08:32:48 -0400 (0:00:01.808)       0:00:24.754 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.change_all_file_inside_a_directory }}] ***
changed: [xxx.xx.xxx.xx] => (item=/etc/zookeeper/certs/quorum/)
changed: [xxx.xx.xxx.xx] => (item=/etc/pki/zookeeper/ca/certs/)
Saturday 10 May 2025  08:32:48 -0400 (0:00:00.333)       0:00:25.087 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.change_directory_permission }}] ***
changed: [xxx.xx.xxx.xx] => (item={'dir': '/etc/zookeeper/certs/quorum', 'mode': '0755'})
changed: [xxx.xx.xxx.xx] => (item={'dir': '/etc/pki/zookeeper/ca/certs', 'mode': '0755'})
Saturday 10 May 2025  08:32:48 -0400 (0:00:00.357)       0:00:25.444 **********
Saturday 10 May 2025  08:32:49 -0400 (0:00:00.027)       0:00:25.472 **********
Saturday 10 May 2025  08:32:49 -0400 (0:00:00.032)       0:00:25.505 **********

TASK [pvc_certs : {{ pvc_zookeeper_task_names.restart_zookeeper }}] ************
changed: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:50 -0400 (0:00:00.961)       0:00:26.467 **********
Saturday 10 May 2025  08:32:50 -0400 (0:00:00.025)       0:00:26.492 **********

TASK [pvc_main : Release lock - Remove lock file] ******************************
changed: [xxx.xx.xxx.xx -> 127.0.0.1]
Saturday 10 May 2025  08:32:50 -0400 (0:00:00.166)       0:00:26.659 **********
included: /opt/ibm/powervc-opsmgr/ansible/core/roles/pvc_main/tasks/end_play.yml for xxx.xx.xxx.xx
Saturday 10 May 2025  08:32:50 -0400 (0:00:00.024)       0:00:26.684 **********
Saturday 10 May 2025  08:32:50 -0400 (0:00:00.017)       0:00:26.701 **********

TASK [pvc_main : set_fact] *****************************************************
ok: [xxx.xx.xxx.xx]
Saturday 10 May 2025  08:32:50 -0400 (0:00:00.018)       0:00:26.720 **********
ok: [xxx.xx.xxx.xx] => {
    "msg": [
        "Play results ---------->",
        "Number of nodes        : 1",
        "List of nodes          : ['xxx.xx.xxx.xx']",
        "Number of failed nodes : 0",
        "List of failed nodes   : []"
    ]
}

TASK [pvc_main : debug] ********************************************************
ok: [xxx.xx.xxx.xx] => {
    "msg": [
        "Play results ---------->",
        "Number of nodes        : 1",
        "List of nodes          : ['xxx.xx.xxx.xx']",
        "Number of failed nodes : 0",
        "List of failed nodes   : []"
    ]
}
Saturday 10 May 2025  08:32:50 -0400 (0:00:00.030)       0:00:26.750 **********

TASK [pvc_main : synchronize state file] ***************************************
ok: [xxx.xx.xxx.xx -> xxx.xx.xxx.xx] => (item=xxx.xx.xxx.xx)
Saturday 10 May 2025  08:32:50 -0400 (0:00:00.501)       0:00:27.251 **********

TASK [pvc_main : synchronize inventory] ****************************************
ok: [xxx.xx.xxx.xx -> xxx.xx.xxx.xx] => (item=xxx.xx.xxx.xx)
Saturday 10 May 2025  08:32:54 -0400 (0:00:03.494)       0:00:30.746 **********

TASK [pvc_main : Success message for play] *************************************
ok: [xxx.xx.xxx.xx] => {
    "msg": "Play completed successfully"
}
Saturday 10 May 2025  08:32:54 -0400 (0:00:00.018)       0:00:30.764 **********

PLAY RECAP *********************************************************************
xxx.xx.xxx.xx              : ok=88   changed=43   unreachable=0    failed=0    skipped=30   rescued=0    ignored=0

Saturday 10 May 2025  08:32:54 -0400 (0:00:00.016)       0:00:30.781 **********
===============================================================================
pvc_main : synchronize inventory ---------------------------------------- 3.49s
pvc_certs : {{ pvc_zookeeper_task_names.change_file_permissions }} ------ 1.81s
Gathering Facts --------------------------------------------------------- 1.55s
pvc_certs : {{ pvc_zookeeper_task_names.genkeypair_keystore_zookeeper }} --- 1.54s
pvc_certs : {{ pvc_zookeeper_task_names.import_keystore_in_jks_servertrust_zookeeper }} --- 1.25s
pvc_certs : {{ pvc_zookeeper_task_names.import_keystore_in_jks_clienttrust_zookeeper }} --- 1.20s
pvc_certs : {{ pvc_zookeeper_task_names.import_certs_zookeeper_store }} --- 1.15s
pvc_certs : {{ pvc_zookeeper_task_names.export_certs_zookeeper }} ------- 1.15s
pvc_certs : {{ pvc_zookeeper_task_names.import_keystore_in_client_jks_cli_zookeeper }} --- 1.01s
pvc_certs : {{ pvc_zookeeper_task_names.restart_zookeeper }} ------------ 0.96s
pvc_certs : {{ pvc_zookeeper_task_names.create_zookeeper_ca_private_key }} --- 0.78s
pvc_certs : {{ pvc_zookeeper_task_names.import_keystore_server_cert_for_zookeeper }} --- 0.64s
pvc_certs : {{ pvc_zookeeper_task_names.import_keystore_in_server_jks_cli_zookeeper }} --- 0.63s
pvc_certs : {{ pvc_zookeeper_task_names.create_zookeeper_a_serial_file }} --- 0.54s
pvc_certs : {{ pvc_zookeeper_task_names.create_client_private_key_for_zookeeper }} --- 0.51s
pvc_main : synchronize state file --------------------------------------- 0.50s
pvc_certs : {{ pvc_zookeeper_task_names.create_server_privatekey_for_zookeeper }} --- 0.45s
pvc_certs : {{ pvc_zookeeper_task_names.copy_opensslconf_for_zookeeper }} --- 0.43s
pvc_certs : {{ pvc_zookeeper_task_names.create_zookeeper_index_file }} --- 0.42s
command ----------------------------------------------------------------- 0.39s
Please restart the zookeeper service using powervc-services command

Ansible ログが流れています。
PowerVC 内部で Ansible による証明書更新処理が組み込まれたようです。

更新後のサービス再起動

証明書を更新した際は、対象のサービスを再起動して適用する必要があります。

zookeeper サービスを再起動します。

# powervc-services zookeeper restart

Stopping zookeeper services...
Cleaned up zookeeper:0 on xxx.xx.xxx.xx
Performing update of 'target-role' on 'zookeeper-clone', the parent of 'zookeeper'
Set 'zookeeper-clone' option: id=zookeeper-clone-meta_attributes-target-role name=target-role value=Stopped
Checking status of zookeeper
[2604523.214668] systemd-rc-local-generator[706993]: /etc/rc.d/rc.local is not marked executable, skipping.
Starting zookeeper services...
Performing update of 'is-managed' on 'zookeeper-clone', the parent of 'zookeeper'
Set 'zookeeper-clone' option: id=zookeeper-clone-meta_attributes-is-managed name=is-managed value=true
Performing update of 'target-role' on 'zookeeper-clone', the parent of 'zookeeper'
Set 'zookeeper-clone' option: id=zookeeper-clone-meta_attributes-target-role name=target-role value=Started
[2604530.194198] systemd-rc-local-generator[707160]: /etc/rc.d/rc.local is not marked executable, skipping.

変更した証明書期限の確認

# powervc-opsmgr config certs --check-expiry -c pvc23
+----------------------------------+--------------------------+
| Certificate Path                 | Expiration Date          |
+==================================+==========================+
| /etc/pki/tls/certs/powervc.crt   | Jan 29 07:02:29 2028 GMT |
+----------------------------------+--------------------------+
| /etc/pki/messages/ca/cacert.pem  | Jul 14 07:07:41 2027 GMT |
+----------------------------------+--------------------------+
| /etc/pki/novnc/ca/cacert.pem     | Jul 14 07:23:29 2027 GMT |
+----------------------------------+--------------------------+
| /etc/pki/zookeeper/ca/cacert.pem | May  9 12:32:32 2028 GMT | #<=
+----------------------------------+--------------------------+
| /etc/pki/db/ca/cacert.pem        | Apr  9 07:39:47 2028 GMT |
+----------------------------------+--------------------------+

zookeeper のCA証明書 "/etc/pki/zookeeper/ca/cacert.pem" の期限が更新実行日付の3年後に伸びました。

問題なく期限更新できています。

おわりに

今回は1つのサービスだけ確認しましたが、他のサービスも同様のコマンドで実行できます。

PowerVC 2.3.0 以降は楽に証明書更新ができるようになりました。

以上です。

1
1
5

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?