Renew or replace the self-managed MySQL/Galera certificates

Renew or replace the self-managed MySQL/Galera certificatesΒΆ

This section describes how to renew or replace the self-managed MySQL/Galera certificates.

To renew or replace the self-managed MySQL/Galera certificates:

  1. Log in to the Salt Master node.

  2. Create the classes/cluster/<cluster_name>/openstack/ssl/galera_master.yml file with the following configuration as an example:

    classes:
    - cluster.<cluster_name>.openstack.ssl
    parameters:
      galera:
        master:
          ssl:
            enabled: True
            cacert_chain: ${_param:galera_ssl_cacert_chain}
            key: ${_param:galera_ssl_key}
            cert: ${_param:galera_ssl_cert}
            ca_file: ${_param:mysql_ssl_ca_file}
            key_file: ${_param:mysql_ssl_key_file}
            cert_file: ${_param:mysql_ssl_cert_file}
    

    Note

    Substitute <cluster_name> with the appropriate value.

  3. Create the classes/cluster/<cluster_name>/openstack/ssl/galera_slave.yml file with the following configuration as an example:

    classes:
    - cluster.<cluster_name>.openstack.ssl
    parameters:
      galera:
        slave:
          ssl:
            enabled: True
            cacert_chain: ${_param:galera_ssl_key}
            key: ${_param:galera_ssl_key}
            cert: ${_param:galera_ssl_key}
            ca_file: ${_param:mysql_ssl_ca_file}
            key_file: ${_param:mysql_ssl_key_file}
            cert_file: ${_param:mysql_ssl_cert_file}
    

    Note

    Substitute <cluster_name> with the appropriate value.

  4. Create the classes/cluster/<cluster_name>/openstack/ssl/init.yml file with the following configuration as an example:

    parameters:
      _param:
        mysql_ssl_key_file: /etc/mysql/ssl/key.pem
        mysql_ssl_cert_file: /etc/mysql/ssl/cert.pem
        mysql_ssl_ca_file: /etc/mysql/ssl/ca.pem
        galera_ssl_cacert_chain: |
          -----BEGIN CERTIFICATE-----
          MIIF0TCCA7mgAwIBAgIJAOkTQnjLz6rEMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
          ...
          RHXc4FoWv9/n8ZcfsqjQCjF3vUUZBB3zdlfLCLJRruB4xxYukc3gFpFLm21+0ih+
          M8IfJ5I=
          -----END CERTIFICATE-----
        galera_ssl_key: |
          -----BEGIN RSA PRIVATE KEY-----
          MIIJKQIBAAKCAgEArVSJ16ePjCik+6bZBzhiu3enXw8R9Ms1k4x57633IX1sEZTJ
          ...
          0VgM2bDSNyUuiwCbOMK0Kyn+wGeHF/jGSbVsxYI4OeLFz8gdVUqm7olJj4j3xemY
          BlWVHRa/dEG1qfSoqFU9+IQTd+U42mtvvH3oJHEXK7WXzborIXTQ/08Ztdvy
          -----END RSA PRIVATE KEY-----
        galera_ssl_cert: |
          -----BEGIN CERTIFICATE-----
          MIIGIDCCBAigAwIBAgIJAJznLlNteaZFMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
          ...
          MfXPTUI+7+5WQLx10yavJ2gOhdyVuDVagfUM4epcriJbACuphDxHj45GINOGhaCd
          UVVCxqnB9qU16ea/kB3Yzsrus7egr9OienpDCFV2Q/kgUSc7
          -----END CERTIFICATE-----
    

    Note

    Modify the example above by adding your certificates and key:

    • If you renew the certificates, leave your existing key and update the cert and chain sections.

    • If you replace the certificates, modify all three sections.

  5. Update the classes/cluster/<cluster_name>/infra/config.yml file by adding the newly created classes to the database nodes:

    openstack_database_node01:
      params:
        linux_system_codename: xenial
        deploy_address: ${_param:openstack_database_node01_deploy_address}
      classes:
      - cluster.${_param:cluster_name}.openstack.database_init
      - cluster.${_param:cluster_name}.openstack.ssl.galera_master
    openstack_database_node02:
      params:
        linux_system_codename: xenial
        deploy_address: ${_param:openstack_database_node02_deploy_address}
      classes:
      - cluster.${_param:cluster_name}.openstack.ssl.galera_slave
    openstack_database_node03:
      params:
        linux_system_codename: xenial
        deploy_address: ${_param:openstack_database_node03_deploy_address}
      classes:
      - cluster.${_param:cluster_name}.openstack.ssl.galera_slave
    
  6. Regenerate the Reclass storage:

    salt-call state.sls reclass.storage -l debug
    
  7. Refresh pillars:

    salt -C 'I@galera:master or I@galera:slave' saltutil.refresh_pillar
    
  8. Verify the certificates validity dates:

    salt -C 'I@galera:master' cmd.run 'openssl x509 \
    -in /etc/mysql/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
    salt -C 'I@galera:slave' cmd.run 'openssl x509 \
    -in /etc/mysql/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
    

    Example of system response:

    Not Before: May 30 17:21:10 2018 GMT
    Not After : May 30 17:21:10 2019 GMT
    Not Before: May 30 17:25:24 2018 GMT
    Not After : May 30 17:25:24 2019 GMT
    Not Before: May 30 17:26:52 2018 GMT
    Not After : May 30 17:26:52 2019 GMT
    
  9. Force the certificate regeneration on the Galera master node:

    salt -C 'I@galera:master' state.sls galera -l debug
    
  10. Verify the new certificates validity dates on the Galera master node:

    salt -C 'I@galera:master' cmd.run 'openssl x509 \
    -in /etc/mysql/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
    
  11. Restart the MySQL service on the Galera master node:

    salt -C 'I@galera:master' service.stop mysql
    salt -C 'I@galera:master' service.start mysql
    
  12. Verify that the Galera cluster status is up:

    salt -C 'I@galera:master' mysql.status | \
    grep -EA1 'wsrep_(local_state_c|incoming_a|cluster_size)'
    

    Example of system response:

    wsrep_cluster_size:
        3
    
    wsrep_incoming_addresses:
        192.168.2.52:3306,192.168.2.53:3306,192.168.2.51:3306
    
    wsrep_local_state_comment:
        Synced
    
  13. Force the certificate regeneration on the Galera slave nodes:

    salt -C 'I@galera:slave' state.sls galera -l debug
    
  14. Verify that the certificates validity dates have changed:

    salt -C 'I@galera:slave' cmd.run 'openssl x509 \
    -in /etc/mysql/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
    

    Example of system response:

    Not Before: Jun  4 16:14:24 2018 GMT
    Not After : Jun  4 16:14:24 2019 GMT
    Not Before: Jun  4 16:14:31 2018 GMT
    Not After : Jun  4 16:14:31 2019 GMT
    
  15. Obtain the Galera slave nodes minions IDs:

    salt -C 'I@galera:slave' test.ping --output yaml | cut -d':' -f1
    

    Example of system response:

    dbs02.multinode-ha.int
    dbs03.multinode-ha.int
    
  16. Restart the MySQL service for every Galera slave minion ID one by one. After each Galera slave minion restart, verify the Galera cluster size and status. Proceed to the next Galera slave minion restart only if the Galera cluster is synced.

    • To restart the MySQL service for a Galera slave minion:

      salt <minion_ID> service.stop mysql
      salt <minion_ID> service.start mysql
      
    • To verify the Galera cluster size and status:

      salt -C 'I@galera:master' mysql.status | \
      grep -EA1 'wsrep_(local_state_c|incoming_a|cluster_size)'
      

      Example of system response:

      wsrep_cluster_size:
          3
      
      wsrep_incoming_addresses:
          192.168.2.52:3306,192.168.2.53:3306,192.168.2.51:3306
      
      wsrep_local_state_comment:
          Synced