Chapter 4. Renewing a node certificate

Each cluster node has a certificate that authenticates it to the cluster. That certificate gets created as part of the process that sets up a new node. All node certificates have an expiration date. The node certificate's creation time and expiration date is shown by the status command:

[root@octopus ~]# stasher
Ready, EOF to exit.
> admin
Connected to objrepo.example.com, node octopus.objrepo.example.com.
Maximum 20 objects, 64 Mb aggregate object size, per transaction.
Maximum 10 concurrent subscriptions.
octopus> status

... long output deleted ...

listener(octopus.objrepo.example.com) (thread 0x00007f73f6ffd700):
    Node certificate: subject `CN=octopus.objrepo.example.com,OU=object reposito
ry (created on 2012-03-17 16:13:05 EDT),O=node', issuer `CN=objrepo.example.com,
OU=object repository (created on 2012-03-17 16:12:05 EDT),O=cluster', RSA key 24
32 bits, signed using RSA-SHA256, activated `2012-03-17 20:13:05 UTC', expires `
2013-03-27 20:13:05 UTC', SHA-1 fingerprint `9be3e4f42a32d5a0789d67d51df60a48df6
18f74'

... long output deleted ...

octopus> [EOF, CTRL-D]
[root@octopus ~]# 

A new node certificate must get created before the shown expiration date (highlighted in the example above). This is a straightforward process if the cluster certificates are on the same machine as the cluster node whose certificate is getting renewed:

[root@octopus ~]# stashermg --nodekey --generate /var/stasher/nodes/objrepo.example.com /var/stasher/clusters/objrepo.example.com
Generating new key...
+++++
.......+++++
Connected to /var/stasher/nodes/objrepo.example.com, checking existing certificates
Updating cluster certificates
Certificate installed, connecting to server
Certificate reloaded
[root@octopus ~]# 

In this example, the renewing node is octopus in the directory /var/stasher/nodes/objrepo.example.com, and the cluster certificate directory is /var/stasher/clusters/objrepo.example.com, on the same machine. The succesful installation of the new certificate can be verified by checking the output of the status command, again.

[root@octopus ~]# stasher
Ready, EOF to exit.
> admin
Connected to objrepo.example.com, node octopus.objrepo.example.com.
Maximum 20 objects, 64 Mb aggregate object size, per transaction.
Maximum 10 concurrent subscriptions.
octopus> status

... long output deleted ...

listener(octopus.objrepo.example.com) (thread 0x00007f73f6ffd700):
    Node certificate: subject `CN=octopus.objrepo.example.com,OU=object reposito
ry (created on 2012-03-25 21:53:59 EDT),O=node', issuer `CN=objrepo.example.com,
OU=object repository (created on 2012-03-17 16:12:05 EDT),O=cluster', RSA key 24
32 bits, signed using RSA-SHA256, activated `2012-03-26 01:53:59 UTC', expires `
2013-04-05 01:53:59 UTC', SHA-1 fingerprint `708f1cfedc1378783ef1f571939197a43a0
7464e'

... long output deleted ...

octopus> [EOF, CTRL-D]
[root@octopus ~]# 

By default, node certificates are good for a year. For this example, the certificate was renewed 51 weeks earlier.

When the expiring certificate is on another machine, the process is similar, as long as:

Pass an additional --name parameter to repomg giving the name of the other node:

[root@octopus ~]# stashermg --nodekey --generate --name monster /var/stasher/nodes/objrepo.example.com /var/stasher/clusters/objrepo.example.com
Generating new key...
...............+++++
.+++++
Certificate installed on monster.objrepo.example.com
[root@octopus ~]# 

repomg connects to the node on this machine. The node forwards the newly-generated certificate to its peer, which installs it and uses it. Use the status command on the other node to verify that the certificate was installed, and is active.

[root@octopus ~]# stashermg --nodekey --generate --name cthulhu /var/stasher/nodes/objrepo.example.com /var/stasher/clusters/objrepo.example.com
Generating new key...
..................+++++
.....+++++
No connection with cthulhu.objrepo.example.com
[root@octopus ~]# 

This error message reports that there's no such node in the cluster, or if there is one, it's not connected to the cluster.

If the other machine is not connected to the cluster, or if the underlying network transport is not secure, follow the process for creating a new cluster node, with the same name, then just copy the certificate to the other machine's node directory. Run stashermg --certload, if necessary.