Procedure for renewing TLS certificates on master and satellite nodes

This documentation explains how to renew expired or expiring TLS certificates.

TLS certificates are used to ensure secure communication between the master node and the satellite node(s). The procedure begins by renewing the certificates on the master node, then on the satellite node(s).

Diagnosis of certificate expiry

Certificate has expired

Connect with SSH to the satellite node and run the following command:

sudo cyberwatch logs sidekiq

If the command output contains the following information, then it is possible to follow the procedure to renew the certificates:

Root CA found and valid, Redis certificate will be verified
[2023-10-30T14:47:12.695545 #1] ERROR -- : TLS/SSL error: certificate has expired
Root CA found and valid, MariaDB certificate will be verified
[2023-10-30T14:47:46.921936 #1] ERROR -- : TLS/SSL error: certificate has expired

Get the expiration date of the master node’s root certificate

Connect with SSH to the satellite node and run the following command:

openssl x509 -noout -enddate -in /etc/cyberwatch/certs/cbw-root-ca-cert.pem
notAfter=Oct 1 00:00:00 2023 GMT

This means that the certificate is no longer valid after October 1, 2023.

Renew the certificate on the master node

Establish an SSH connection to the master node
Backup current certificates:
```
sudo mv /etc/cyberwatch/certs{,.old}
```
Create new certificates:
Add any necessary infrastructure options, such as --no-db or --offline.
```
sudo cyberwatch configure --master
```
Answer no to the configuration change. Enter the IP address of the master node, followed by all domain names used by satellites to reach the master node. They will be added as Subject Alternative Name (SAN).

Check the validity of the new certificate:

openssl x509 -noout -enddate -in /etc/cyberwatch/certs/cbw-root-ca-cert.pem
notAfter=Nov 18 15:08:14 2025 GMT

Renew the certificate on the satellite node(s)

Get the valid certificate from the master node:
```
sudo cyberwatch show-root-cert
```
Write the output of the previous command to file /etc/cyberwatch/certs/cbw-root-ca-cert.pem of the satellite node:
```
sudo vim /etc/cyberwatch/certs/cbw-root-ca-cert.pem
```
Restart cyberwatch on the satellite node:
```
sudo cyberwatch restart
```

Operation validation

To validate that the satellite node is able to reach the master node with a valid certificate, check the sidekiq logs:

sudo cyberwatch logs sidekiq | grep -C 10 "certificate will be verified"

Output of the command should look like this:

Healthcheck completed reporting a successful start
Checking if Redis supports TLS
Using TLS available on ...
Root CA found and valid, Redis certificate will be verified
Using Redis URL: rediss://...
Checking if MariaDB supports TLS
TLS is available for MariaDB
Root CA found and valid, MariaDB certificate will be verified