The rotate_certs allows a seamless upgrade of MySQL certificates (on the MySQL server side).
Table 9.36. rotate_certs Options
| Option | Description |
|---|---|
--alias, -a | Specify the new alias |
--all | Do import, restart, update and reconfig |
--copy, -c | Copy the new MySQL Certs to the other nodes, requires root ssh via sudo |
--dir, -d | Specify the directory of the certs |
--dryrun, -n | Do not execute, only display what would be run |
--end, -e | Specify the ending db number for --copy (default: 6) |
--generate, --gen, -g | Create the MySQL Certs in the directory provided |
--import, -i | Import the new MySQL certs into the four Tungsten files. |
--one | Do generate and copy |
--pattern | Specify the hostname pattern (default: db) |
--reconfig | |
--remove, --rm | Remove the certs dir first, used only with --generate |
--restart | Restart mysqld via `sudo service mysqld restart` |
--running, -r | Specify --running --force to tpm cert commands, used only with --import |
--start, -s | Specify the starting db number for --copy (default: 2) |
--systemd | WHen issuing --restart, use the systemctl syntax instead |
--update |
The update should be made one node at a time, starting with a Replica, switching to it, and then doing the other Replicas.
Examples:
On a single node:
shell>rotate_certs --one --dir /etc/mysql/certs2 --alias mysql_new -rm -n~OR~ shell>rotate_certs --generate --dir /etc/mysql/certs2 --alias mysql_new --rm -nshell>rotate_certs --copy --dir /etc/mysql/certs2 -n
On all nodes:
shell>rotate_certs --all --dir /etc/mysql/certs2 --alias mysql_new --running -n~OR~ shell>rotate_certs --import --dir /etc/mysql/certs2 --alias mysql_new --running -nshell>rotate_certs --restart --systemd -nshell>rotate_certs --update --alias mysql_new -nshell>rotate_certs --reconfig -n
Standard Workflow Summary
On a Single Node:
shell>rotate_certs --generateshell>rotate_certs --copy
On all nodes, Starting with a replica:
shell> rotate_certs --import
Edit my.cnf manually
shell>rotate_certs --restartshell>rotate_certs --updateshell>rotate_certs --reconfig
Standard Workflow Details
Database Nodes:
Generate the new mysql certs (rotate_certs --generate)
Copy the new mysql certs to all database and Connector nodes (rotate_certs --copy)
Add the new cert to four keystores/truststores (rotate_certs --import)
Update my.cnf with the new cert location (manual)
Restart mysqld on the first Replica when ready and only after the keystores have been updated on that node (rotate_certs --restart)
Switch to the above Replica, and repeat Steps 3-6 on the rest of the nodes (manual via cctrl)
Connector Nodes:
Before using the new certs on the client application side:
Update security.properties:
connector.security.keystore.alias.client.to.connector=<new_alias>
(rotate_certs --update)
Run connector reconfigure (rotate_certs --reconfig)
If applications rely on the [client] stanza in my.cnf, make sure this section is updated with the new cert locations only after the Connectors have been reconfigured (see above two steps)
Standard Workflow Notes
This procedure to be done in AUTOMATIC policy mode
After mysqld restart, the Replica being updated will briefly show as failed; this is expected and the node will be brought online automatically by the Manager.
Similarly, the Replicator will briefly show suspect, then come back online.
Once all nodes have been updated:
Update all tungsten.ini files with the new aliases
to be used by default via java_mysql_alias={NEW_ALIAS_HERE},
then run tpm update
A best practice is to remove the old alias from the keystores and truststores as this will avoid Tungsten trying too many aliases next time certs are updated. i.e. tpm cert rm ke,ts,ck,ct {OLD_ALIAS_HERE}