1. Home
  2. MCP Operations Guide
  3. OpenStack operations
  4. Manage certificates
  5. MySQL/Galera certificates
  6. Renew or replace the self-managed MySQL/Galera certificates

Renew or replace the self-managed MySQL/Galera certificates

Renew or replace the self-managed MySQL/Galera certificatesΒΆ

This section describes how to renew or replace the self-managed MySQL/Galera certificates.

To renew or replace the self-managed MySQL/Galera certificates:

  1. Log in to the Salt Master node.

  2. Create the classes/cluster/<cluster_name>/openstack/ssl/galera_master.yml file with the following configuration as an example:

    classes:
- cluster.<cluster_name>.openstack.ssl
parameters:
  galera:
    master:
      ssl:
        enabled: True
        cacert_chain: ${_param:galera_ssl_cacert_chain}
        key: ${_param:galera_ssl_key}
        cert: ${_param:galera_ssl_cert}
        ca_file: ${_param:mysql_ssl_ca_file}
        key_file: ${_param:mysql_ssl_key_file}
        cert_file: ${_param:mysql_ssl_cert_file}

    Note

    Substitute <cluster_name> with the appropriate value.

  3. Create the classes/cluster/<cluster_name>/openstack/ssl/galera_slave.yml file with the following configuration as an example:

    classes:
- cluster.<cluster_name>.openstack.ssl
parameters:
  galera:
    slave:
      ssl:
        enabled: True
        cacert_chain: ${_param:galera_ssl_key}
        key: ${_param:galera_ssl_key}
        cert: ${_param:galera_ssl_key}
        ca_file: ${_param:mysql_ssl_ca_file}
        key_file: ${_param:mysql_ssl_key_file}
        cert_file: ${_param:mysql_ssl_cert_file}

    Note

    Substitute <cluster_name> with the appropriate value.

  4. Create the classes/cluster/<cluster_name>/openstack/ssl/init.yml file with the following configuration as an example:

    parameters:
  _param:
    mysql_ssl_key_file: /etc/mysql/ssl/key.pem
    mysql_ssl_cert_file: /etc/mysql/ssl/cert.pem
    mysql_ssl_ca_file: /etc/mysql/ssl/ca.pem
    galera_ssl_cacert_chain: |
      -----BEGIN CERTIFICATE-----
      MIIF0TCCA7mgAwIBAgIJAOkTQnjLz6rEMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
      ...
      RHXc4FoWv9/n8ZcfsqjQCjF3vUUZBB3zdlfLCLJRruB4xxYukc3gFpFLm21+0ih+
      M8IfJ5I=
      -----END CERTIFICATE-----
    galera_ssl_key: |
      -----BEGIN RSA PRIVATE KEY-----
      MIIJKQIBAAKCAgEArVSJ16ePjCik+6bZBzhiu3enXw8R9Ms1k4x57633IX1sEZTJ
      ...
      0VgM2bDSNyUuiwCbOMK0Kyn+wGeHF/jGSbVsxYI4OeLFz8gdVUqm7olJj4j3xemY
      BlWVHRa/dEG1qfSoqFU9+IQTd+U42mtvvH3oJHEXK7WXzborIXTQ/08Ztdvy
      -----END RSA PRIVATE KEY-----
    galera_ssl_cert: |
      -----BEGIN CERTIFICATE-----
      MIIGIDCCBAigAwIBAgIJAJznLlNteaZFMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
      ...
      MfXPTUI+7+5WQLx10yavJ2gOhdyVuDVagfUM4epcriJbACuphDxHj45GINOGhaCd
      UVVCxqnB9qU16ea/kB3Yzsrus7egr9OienpDCFV2Q/kgUSc7
      -----END CERTIFICATE-----

    Note

    Modify the example above by adding your certificates and key:

    • If you renew the certificates, leave your existing key and update the cert and chain sections.
    • If you replace the certificates, modify all three sections.

  5. Update the classes/cluster/<cluster_name>/infra/config.yml file by adding the newly created classes to the database nodes:

    openstack_database_node01:
  params:
    linux_system_codename: xenial
    deploy_address: ${_param:openstack_database_node01_deploy_address}
  classes:
  - cluster.${_param:cluster_name}.openstack.database_init
  - cluster.${_param:cluster_name}.openstack.ssl.galera_master
openstack_database_node02:
  params:
    linux_system_codename: xenial
    deploy_address: ${_param:openstack_database_node02_deploy_address}
  classes:
  - cluster.${_param:cluster_name}.openstack.ssl.galera_slave
openstack_database_node03:
  params:
    linux_system_codename: xenial
    deploy_address: ${_param:openstack_database_node03_deploy_address}
  classes:
  - cluster.${_param:cluster_name}.openstack.ssl.galera_slave

  6. Regenerate the Reclass storage:

    salt-call state.sls reclass.storage -l debug

  7. Refresh pillars:

    salt -C 'I@galera:master or I@galera:slave' saltutil.refresh_pillar

  8. Verify the certificates validity dates:

    salt -C 'I@galera:master' cmd.run 'openssl x509 \
-in /etc/mysql/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
salt -C 'I@galera:slave' cmd.run 'openssl x509 \
-in /etc/mysql/ssl/cert.pem -text -noout' | grep -Ei 'after|before'

    Example of system response:

    Not Before: May 30 17:21:10 2018 GMT
Not After : May 30 17:21:10 2019 GMT
Not Before: May 30 17:25:24 2018 GMT
Not After : May 30 17:25:24 2019 GMT
Not Before: May 30 17:26:52 2018 GMT
Not After : May 30 17:26:52 2019 GMT

  9. Force the certificate regeneration on the Galera master node:

    salt -C 'I@galera:master' state.sls galera -l debug

  10. Verify the new certificates validity dates on the Galera master node:

    salt -C 'I@galera:master' cmd.run 'openssl x509 \
-in /etc/mysql/ssl/cert.pem -text -noout' | grep -Ei 'after|before'

  11. Restart the MySQL service on the Galera master node:

    salt -C 'I@galera:master' service.stop mysql
salt -C 'I@galera:master' service.start mysql

  12. Verify that the Galera cluster status is up:

    salt -C 'I@galera:master' mysql.status | \
grep -EA1 'wsrep_(local_state_c|incoming_a|cluster_size)'

    Example of system response:

    wsrep_cluster_size:
    3

wsrep_incoming_addresses:
    192.168.2.52:3306,192.168.2.53:3306,192.168.2.51:3306

wsrep_local_state_comment:
    Synced

  13. Force the certificate regeneration on the Galera slave nodes:

    salt -C 'I@galera:slave' state.sls galera -l debug

  14. Verify that the certificates validity dates have changed:

    salt -C 'I@galera:slave' cmd.run 'openssl x509 \
-in /etc/mysql/ssl/cert.pem -text -noout' | grep -Ei 'after|before'

    Example of system response:

    Not Before: Jun  4 16:14:24 2018 GMT
Not After : Jun  4 16:14:24 2019 GMT
Not Before: Jun  4 16:14:31 2018 GMT
Not After : Jun  4 16:14:31 2019 GMT

  15. Obtain the Galera slave nodes minions IDs:

    salt -C 'I@galera:slave' test.ping --output yaml | cut -d':' -f1

    Example of system response:

    dbs02.multinode-ha.int
dbs03.multinode-ha.int

  16. Restart the MySQL service for every Galera slave minion ID one by one. After each Galera slave minion restart, verify the Galera cluster size and status. Proceed to the next Galera slave minion restart only if the Galera cluster is synced.

    • To restart the MySQL service for a Galera slave minion:

      salt <minion_ID> service.stop mysql
salt <minion_ID> service.start mysql

    • To verify the Galera cluster size and status:

      salt -C 'I@galera:master' mysql.status | \
grep -EA1 'wsrep_(local_state_c|incoming_a|cluster_size)'

      Example of system response:

      wsrep_cluster_size:
    3

wsrep_incoming_addresses:
    192.168.2.52:3306,192.168.2.53:3306,192.168.2.51:3306

wsrep_local_state_comment:
    Synced
updated: 2024-05-07 08:43