Renew TLS/SSL certificates

NXLog Platform communicates with NXLog Agent instances securely with TLS/SSL. In case of expired or compromised TLS/SSL certificates, you can instruct NXLog Platform to renew an agent’s certificate.

Prerequisites

About the renew command

The agents endpoint provides the certificate/renew command to renew NXLog Agent certificates. You can execute the command for all or selected agents by specifying an agent filter.

$ curl --verbose --request POST \
       --url "https://agents.example.com/api/{ORG_ID}/api/v1/agents/*/certificate/renew/?filter=({QUERY})" \
       --header "Authorization: Bearer {TOKEN}" \
       --data ""

If matching agents exist, the command returns 200 OK with the following JSON body. Otherwise, it returns an empty JSON array.

[
  {
    "id": "{AGENT_UUID}",
    "status": "success"
  }
]
Offline agents will not have their certificates updated automatically. Once they come back online, the agents will have a warning status and you must synchronize the certificate with the files-sync command for them to receive the new certificate.

Renew all agent certificates

You can renew all agent certificates with a single API request by specifying * for the entity UUID.

POST /agents/*/certificate/renew

Entity type

agents

Entity UUID

*

Field

certificate

Command

renew

Try it

Execute the following curl command or Python script to renew all agent certificates.

curl
$ curl --verbose --request POST \
       --url "https://agents.example.com/api/{ORG_ID}/api/v1/agents/*/certificate/renew" \(1)
       --header "Authorization: Bearer {TOKEN}" \(2)
       --data ""
1 Replace example.com with the NXLog Platform domain you specified when installing NXLog Platform and {ORG_ID} with your organization ID.
2 Replace {TOKEN} with your API token. See Generating a token for instructions.
Python
'''
Requires Python 3.x
'''

import requests
import json

# Set these variables for your environment
api_token = '<API_TOKEN>' (1)
base_url = 'https://agents.<DOMAIN>/api' (2)
org = '<ORG_ID>' (3)

endpoint = 'api/v1/agents'
url = '{}/{}/{}'.format(base_url, org, endpoint)
headers = {'Authorization': 'Bearer {}'.format(api_token)}

query = '*/certificate/renew'
r = requests.post('{}/{}'.format(url, query), headers=headers)
if r.status_code == 200:
    print('Status: {} {}'.format(r.status_code, r.reason))
    print(json.dumps(r.json(), indent=2))
else:
    print('Error: {} {}'.format(r.status_code, r.text))
1 Replace <API_TOKEN> with your API token. See Generating a token for instructions.
2 Replace <DOMAIN> with the NXLog Platform domain you specified when installing NXLog Platform.
3 Replace <ORG_ID> with your organization ID.
Example response
Status: 200
[
  {
    "id": "1589a98a-66b3-11ee-80d5-4f584c6f672d",
    "status": "success"
  },
  {
    "id": "94fbcd8e-484c-11ef-8000-656536087e74",
    "status": "success"
  }
]

Renew certificate by agent hostname

If you need to update the certificate of a single agent, the easiest way is to filter by hostname. This example renews the certificate of an agent with the hostname PC1.

The hostname is case-sensitive.
POST /agents/*/certificate/renew/filter=(hostname=PC1)

Entity type

agents

Entity UUID

*

Field

certificate

Command

renew

Filter

(hostname=PC1)

Try it

Execute the following curl command or Python script to renew an agent’s certificate by its hostname.

curl
$ curl --verbose --request POST \
       --url "https://agents.example.com/api/{ORG_ID}/api/v1/agents/*/certificate/renew/?filter=(hostname=PC1)" \(1)
       --header "Authorization: Bearer {TOKEN}" \(2)
       --data ""
1 Replace example.com with the NXLog Platform domain you specified when installing NXLog Platform and {ORG_ID} with your organization ID.
2 Replace {TOKEN} with your API token. See Generating a token for instructions.
Python
'''
Requires Python 3.x
'''

import requests
import json

# Set these variables for your environment
api_token = '<API_TOKEN>' (1)
base_url = 'https://agents.<DOMAIN>/api' (2)
org = '<ORG_ID>' (3)
agent = '<HOSTNAME>' (4)

endpoint = 'api/v1/agents'
url = '{}/{}/{}'.format(base_url, org, endpoint)
headers = {'Authorization': 'Bearer {}'.format(api_token)}

query = '*/certificate/renew/?filter=(hostname={})'.format(agent)
r = requests.post('{}/{}'.format(url, query), headers=headers)
if r.status_code == 200:
    print('Status: {} {}'.format(r.status_code, r.reason))
    print(json.dumps(r.json(), indent=2))
else:
    print('Error: {} {}'.format(r.status_code, r.text))
1 Replace <API_TOKEN> with your API token. See Generating a token for instructions.
2 Replace <DOMAIN> with the NXLog Platform domain you specified when installing NXLog Platform.
3 Replace <ORG_ID> with your organization ID.
4 Replace <HOSTNAME> with the hostname of your agent.
Example response
Status: 200
[
  {
    "id": "94fbcd8e-484c-11ef-8000-656536087e74",
    "status": "success"
  }
]

Renew expired certificates

The agent certificate object contains the notAfter field (not-after when filtering). You can use this field to filter agents with an expired certificate. The date and time string must be in the ASN.1, RFC 3339 or RFC 2822 format. This example renews certificates that expired before 2024-09-22.

POST /agents/*/certificate/renew/filter=(certificate/not-after lt "2024-09-22 00:00:00 UTC")

Entity type

agents

Entity UUID

*

Field

certificate

Command

renew

Filter

(certificate/not-after lt "2024-09-22 00:00:00 UTC")

Try it

Execute the following curl command or Python script to renew all expired agent certificates.

curl
$ curl --verbose --request POST \
       --url "https://agents.example.com/api/{ORG_ID}/api/v1/agents/*/certificate/renew/?filter=(certificate/not-after+lt+'2024-09-22+00:00:00+UTC')" \(1)
       --header "Authorization: Bearer {TOKEN}" \(2)
       --data ""
1 Replace example.com with the NXLog Platform domain you specified when installing NXLog Platform and {ORG_ID} with your organization ID.
2 Replace {TOKEN} with your API token. See Generating a token for instructions.
Python
'''
Requires Python 3.x
'''

import requests
import json
from datetime import datetime
from datetime import timezone

# Set these variables for your environment
api_token = '<API_TOKEN>' (1)
base_url = 'https://agents.<DOMAIN>/api' (2)
org = '<ORG_ID>' (3)

endpoint = 'api/v1/agents'
url = '{}/{}/{}'.format(base_url, org, endpoint)
headers = {'Authorization': 'Bearer {}'.format(api_token)}

exp_date = datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M:%S UTC') (4)
query = '*/certificate/renew/?filter=(certificate/not-after lt "{}")'.format(exp_date)
r = requests.post('{}/{}'.format(url, query), headers=headers)
if r.status_code == 200:
    print('Status: {} {}'.format(r.status_code, r.reason))
    print(json.dumps(r.json(), indent=2))
else:
    print('Error: {} {}'.format(r.status_code, r.text))
1 Replace <API_TOKEN> with your API token. See Generating a token for instructions.
2 Replace <DOMAIN> with the NXLog Platform domain you specified when installing NXLog Platform.
3 Replace <ORG_ID> with your organization ID.
4 Sets the expiry date to the current date and time in UTC.
Example response
Status: 200
[
  {
    "id": "1589a98a-66b3-11ee-80d5-4f584c6f672d",
    "status": "success"
  },
  {
    "id": "94fbcd8e-484c-11ef-8000-656536087e74",
    "status": "success"
  }
]