Renew TLS/SSL certificates
NXLog Platform communicates with NXLog Agent instances securely with TLS/SSL. In case of expired or compromised TLS/SSL certificates, you can instruct NXLog Platform to renew an agent’s certificate.
Prerequisites
-
A machine with NXLog Agent installed and enrolled to NXLog Platform.
-
Your NXLog Platform organization ID.
-
An NXLog Platform API Personal Access Token (PAT).
About the renew command
The agents endpoint provides the certificate/renew command to renew NXLog Agent certificates.
You can execute the command for all or selected agents by specifying an agent filter.
$ curl --verbose --request POST \
--url "https://agents.example.com/api/{ORG_ID}/api/v1/agents/*/certificate/renew/?filter=({QUERY})" \
--header "Authorization: Bearer {TOKEN}" \
--data ""If matching agents exist, the command returns 200 OK with the following JSON body.
Otherwise, it returns an empty JSON array.
[
{
"id": "{AGENT_UUID}",
"status": "success"
}
]
Offline agents will not have their certificates updated automatically.
Once they come back online, the agents will have a warning status and you must synchronize the certificate with the files-sync command for them to receive the new certificate.
|
Renew all agent certificates
You can renew all agent certificates with a single API request by specifying * for the entity UUID.
| POST /agents/*/certificate/renew | |
|---|---|
Entity type |
|
Entity UUID |
|
Field |
|
Command |
|
Try it
Execute the following curl command or Python script to renew all agent certificates.
curl
$ curl --verbose --request POST \
--url "https://agents.example.com/api/{ORG_ID}/api/v1/agents/*/certificate/renew" \(1)
--header "Authorization: Bearer {TOKEN}" \(2)
--data ""| 1 | Replace example.com with the NXLog Platform domain you specified when installing NXLog Platform and {ORG_ID} with your organization ID. |
| 2 | Replace {TOKEN} with your API token.
See Generating a token for instructions. |
Python
'''
Requires Python 3.x
'''
import requests
import json
# Set these variables for your environment
api_token = '<API_TOKEN>' (1)
base_url = 'https://agents.<DOMAIN>/api' (2)
org = '<ORG_ID>' (3)
endpoint = 'api/v1/agents'
url = '{}/{}/{}'.format(base_url, org, endpoint)
headers = {'Authorization': 'Bearer {}'.format(api_token)}
query = '*/certificate/renew'
r = requests.post('{}/{}'.format(url, query), headers=headers)
if r.status_code == 200:
print('Status: {} {}'.format(r.status_code, r.reason))
print(json.dumps(r.json(), indent=2))
else:
print('Error: {} {}'.format(r.status_code, r.text))| 1 | Replace {TOKEN} with your API token.
See Generating a token for instructions. |
| 2 | Replace <DOMAIN> with the NXLog Platform domain you specified when installing NXLog Platform. |
| 3 | Replace <ORG_ID> with your organization ID. |
Example response
Status: 200
[
{
"id": "1589a98a-66b3-11ee-80d5-4f584c6f672d",
"status": "success"
},
{
"id": "94fbcd8e-484c-11ef-8000-656536087e74",
"status": "success"
}
]Renew certificate by agent hostname
If you need to update the certificate of a single agent, the easiest way is to filter by hostname.
This example renews the certificate of an agent with the hostname PC1.
| The hostname is case-sensitive. |
| POST /agents/*/certificate/renew/filter=(hostname=PC1) | |
|---|---|
Entity type |
|
Entity UUID |
|
Field |
|
Command |
|
Filter |
|
Try it
Execute the following curl command or Python script to renew an agent’s certificate by its hostname.
curl
$ curl --verbose --request POST \
--url "https://agents.example.com/api/{ORG_ID}/api/v1/agents/*/certificate/renew/?filter=(hostname=PC1)" \(1)
--header "Authorization: Bearer {TOKEN}" \(2)
--data ""| 1 | Replace example.com with the NXLog Platform domain you specified when installing NXLog Platform and {ORG_ID} with your organization ID. |
| 2 | Replace {TOKEN} with your API token.
See Generating a token for instructions. |
Python
'''
Requires Python 3.x
'''
import requests
import json
# Set these variables for your environment
api_token = '<API_TOKEN>' (1)
base_url = 'https://agents.<DOMAIN>/api' (2)
org = '<ORG_ID>' (3)
agent = '<HOSTNAME>' (4)
endpoint = 'api/v1/agents'
url = '{}/{}/{}'.format(base_url, org, endpoint)
headers = {'Authorization': 'Bearer {}'.format(api_token)}
query = '*/certificate/renew/?filter=(hostname={})'.format(agent)
r = requests.post('{}/{}'.format(url, query), headers=headers)
if r.status_code == 200:
print('Status: {} {}'.format(r.status_code, r.reason))
print(json.dumps(r.json(), indent=2))
else:
print('Error: {} {}'.format(r.status_code, r.text))| 1 | Replace {TOKEN} with your API token.
See Generating a token for instructions. |
| 2 | Replace <DOMAIN> with the NXLog Platform domain you specified when installing NXLog Platform. |
| 3 | Replace <ORG_ID> with your organization ID. |
| 4 | Replace <HOSTNAME> with the hostname of your agent. |
Example response
Status: 200
[
{
"id": "94fbcd8e-484c-11ef-8000-656536087e74",
"status": "success"
}
]Renew expired certificates
The agent certificate object contains the notAfter field (not-after when filtering).
You can use this field to filter agents with an expired certificate.
The date and time string must be in the ASN.1, RFC 3339 or RFC 2822 format.
This example renews certificates that expired before 2024-09-22.
| POST /agents/*/certificate/renew/filter=(certificate/not-after lt "2024-09-22 00:00:00 UTC") | |
|---|---|
Entity type |
|
Entity UUID |
|
Field |
|
Command |
|
Filter |
|
Try it
Execute the following curl command or Python script to renew all expired agent certificates.
curl
$ curl --verbose --request POST \
--url "https://agents.example.com/api/{ORG_ID}/api/v1/agents/*/certificate/renew/?filter=(certificate/not-after+lt+'2024-09-22+00:00:00+UTC')" \(1)
--header "Authorization: Bearer {TOKEN}" \(2)
--data ""| 1 | Replace example.com with the NXLog Platform domain you specified when installing NXLog Platform and {ORG_ID} with your organization ID. |
| 2 | Replace {TOKEN} with your API token.
See Generating a token for instructions. |
Python
'''
Requires Python 3.x
'''
import requests
import json
from datetime import datetime
from datetime import timezone
# Set these variables for your environment
api_token = '<API_TOKEN>' (1)
base_url = 'https://agents.<DOMAIN>/api' (2)
org = '<ORG_ID>' (3)
endpoint = 'api/v1/agents'
url = '{}/{}/{}'.format(base_url, org, endpoint)
headers = {'Authorization': 'Bearer {}'.format(api_token)}
exp_date = datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M:%S UTC') (4)
query = '*/certificate/renew/?filter=(certificate/not-after lt "{}")'.format(exp_date)
r = requests.post('{}/{}'.format(url, query), headers=headers)
if r.status_code == 200:
print('Status: {} {}'.format(r.status_code, r.reason))
print(json.dumps(r.json(), indent=2))
else:
print('Error: {} {}'.format(r.status_code, r.text))| 1 | Replace {TOKEN} with your API token.
See Generating a token for instructions. |
| 2 | Replace <DOMAIN> with the NXLog Platform domain you specified when installing NXLog Platform. |
| 3 | Replace <ORG_ID> with your organization ID. |
| 4 | Sets the expiry date to the current date and time in UTC. |
Example response
Status: 200
[
{
"id": "1589a98a-66b3-11ee-80d5-4f584c6f672d",
"status": "success"
},
{
"id": "94fbcd8e-484c-11ef-8000-656536087e74",
"status": "success"
}
]