Procedure for renewing TLS certificates on master and satellite nodes

This documentation explains how to renew expired or expiring TLS certificates.

TLS certificates are used to ensure secure communication between the master node and the satellite node(s). The procedure begins by renewing the certificates on the master node, then on the satellite node(s).

Diagnosis of certificate expiry

Certificate has expired

Connect with SSH to the satellite node and run the following command:

sudo cyberwatch logs sidekiq

If the command output contains the following information, then it is possible to follow the procedure to renew the certificates:

Root CA found and valid, Redis certificate will be verified
[2023-10-30T14:47:12.695545 #1] ERROR -- : TLS/SSL error: certificate has expired
Root CA found and valid, MariaDB certificate will be verified
[2023-10-30T14:47:46.921936 #1] ERROR -- : TLS/SSL error: certificate has expired

Get the expiration date of the master node’s root certificate

Connect with SSH to the satellite node and run the following command:

openssl x509 -noout -enddate -in /etc/cyberwatch/certs/cbw-root-ca-cert.pem
notAfter=Oct 1 00:00:00 2023 GMT

This means that the certificate is no longer valid after October 1, 2023.

Renew the certificate on the master node

  1. Establish an SSH connection to the master node

  2. Backup current certificates:

    sudo mv /etc/cyberwatch/certs{,.old}
    
  3. Create new certificates:

    Add any necessary infrastructure options, such as --no-db or --offline.

    sudo cyberwatch configure --master
    

    Answer no to the configuration change. Enter the IP address of the master node, followed by all domain names used by satellites to reach the master node. They will be added as Subject Alternative Name (SAN).

  4. Check the validity of the new certificate:

    openssl x509 -noout -enddate -in /etc/cyberwatch/certs/cbw-root-ca-cert.pem
    notAfter=Nov 18 15:08:14 2025 GMT
    

Renew the certificate on the satellite node(s)

  1. Get the valid certificate from the master node:

    sudo cyberwatch show-root-cert
    
  2. Write the output of the previous command to file /etc/cyberwatch/certs/cbw-root-ca-cert.pem of the satellite node:

    sudo vim /etc/cyberwatch/certs/cbw-root-ca-cert.pem
    
  3. Restart cyberwatch on the satellite node:

    sudo cyberwatch restart
    

Operation validation

  1. To validate that the satellite node is able to reach the master node with a valid certificate, check the sidekiq logs:

    sudo cyberwatch logs sidekiq | grep -C 10 "certificate will be verified"
    

    Output of the command should look like this:

    Healthcheck completed reporting a successful start
    Checking if Redis supports TLS
    Using TLS available on ...
    Root CA found and valid, Redis certificate will be verified
    Using Redis URL: rediss://...
    Checking if MariaDB supports TLS
    TLS is available for MariaDB
    Root CA found and valid, MariaDB certificate will be verified