Procedure for renewing TLS certificates on master and satellite nodes
This documentation explains how to renew expired or expiring TLS certificates.
TLS certificates are used to ensure secure communication between the master node and the satellite node(s). The procedure begins by renewing the certificates on the master node, then on the satellite node(s).
Diagnosis of certificate expiry
Certificate has expired
Connect with SSH to the satellite node and run the following command:
sudo cyberwatch logs sidekiq
If the command output contains the following information, then it is possible to follow the procedure to renew the certificates:
Root CA found and valid, Redis certificate will be verified
[2023-10-30T14:47:12.695545 #1] ERROR -- : TLS/SSL error: certificate has expired
Root CA found and valid, MariaDB certificate will be verified
[2023-10-30T14:47:46.921936 #1] ERROR -- : TLS/SSL error: certificate has expired
Get the expiration date of the master node’s root certificate
Connect with SSH to the satellite node and run the following command:
openssl x509 -noout -enddate -in /etc/cyberwatch/certs/cbw-root-ca-cert.pem
notAfter=Oct 1 00:00:00 2023 GMT
This means that the certificate is no longer valid after October 1, 2023.
Renew the certificate on the master node
Establish an SSH connection to the master node
Backup current certificates:
sudo mv /etc/cyberwatch/certs{,.old}
Create new certificates:
Add any necessary infrastructure options, such as
--no-db
or--offline
.sudo cyberwatch configure --master
Answer no to the configuration change. Enter the IP address of the master node, followed by all domain names used by satellites to reach the master node. They will be added as Subject Alternative Name (SAN).
Check the validity of the new certificate:
openssl x509 -noout -enddate -in /etc/cyberwatch/certs/cbw-root-ca-cert.pem notAfter=Nov 18 15:08:14 2025 GMT
Renew the certificate on the satellite node(s)
Get the valid certificate from the master node:
sudo cyberwatch show-root-cert
Write the output of the previous command to file
/etc/cyberwatch/certs/cbw-root-ca-cert.pem
of the satellite node:sudo vim /etc/cyberwatch/certs/cbw-root-ca-cert.pem
Restart cyberwatch on the satellite node:
sudo cyberwatch restart
Operation validation
To validate that the satellite node is able to reach the master node with a valid certificate, check the sidekiq logs:
sudo cyberwatch logs sidekiq | grep -C 10 "certificate will be verified"
Output of the command should look like this:
Healthcheck completed reporting a successful start Checking if Redis supports TLS Using TLS available on ... Root CA found and valid, Redis certificate will be verified Using Redis URL: rediss://... Checking if MariaDB supports TLS TLS is available for MariaDB Root CA found and valid, MariaDB certificate will be verified