Ctrlk

How to Renew Percona and Minio Certificates

Problem

The Minio and Percona pods are seen in CrashLoopBackOff state with errors in the pod logs as:

{"log":"2024-10-02T09:04:27.612080Z 0 [ERROR] WSREP: handshake with remote endpoint ssl://10.20.3.13:4567 failed: asio.ssl:337047686: 'certificate verify failed' ( 337047686: 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed')<br>","file":"/var/lib/mysql/mysqld-error.log"}
...
{"log":"2024-10-02T09:04:27.614816Z 0 [ERROR] WSREP: Provider/Node (gcomm://10.20.3.174,percona-db-pxc-db-pxc-1.percona-db-pxc-db-pxc) failed to establish connection with cluster (reason: 7)<br>","file":"/var/lib/mysql/mysqld-error.log"}
{"level":"FATAL","errKind":"","time":"2024-10-02T07:19:49.168830203Z","message":"Get \"https://operator.minio.svc.cluster.local:4222/webhook/v1/getenv/minio/minio1?key=MINIO_ARGS\": x509: certificate has expired or is not yet valid: current time 2024-10-02T07:19:49Z is after 2024-10-01T07:16:11Z","error":{"message":"Get \"https://operator.minio.svc.cluster.local:4222/webhook/v1/getenv/minio/minio1?key=MINIO_ARGS\": x509: certificate has expired or is not yet valid: current time 2024-10-02T07:19:49Z is after 2024-10-01T07:16:11Z","source":["cmd/server-main.go:169:cmd.serverHandleCmdArgs()"]}}

Environment

  • Platform9 Edge Cloud - v5.6 [LTS2].

Procedure

NOTE

Percona certs will get auto-renewed starting SMCP 5.11.

For previous versions, follow the steps mentioned below:

The steps to be followed for the Percona certificate rotation are:

  1. Retrieve the list of secrets in the percona namespace and verify the validity of the certificates.

$ kubectl get secrets -n percona

$ kubectl get secret/percona-db-pxc-db-ssl -n percona -o jsonpath='{.data.tls\.crt}' | base64 --decode | openssl x509 -inform pem -noout -dates

$ kubectl get secret/percona-db-pxc-db-ssl-internal -n percona -o jsonpath='{.data.tls\.crt}' | base64 --decode | openssl x509 -inform pem -noout -dates

  1. Delete the Percona DB secret. (Note: No new secrets will be created at this step)

  1. Get the list of Helm Deployments and make a note of the chart name for percona-db.

  1. Perform the helm upgrade for Percona DB.

  1. The deleted secrets will be recreated, and the certificates will also be renewed. Please verify this.

The steps to be followed for the Minio certificate rotation are:

  1. Check the list of secrets in the Minio namespace and verify the certificate validity.

  1. Restart the nodeletd stack in each master node one at a time within the Management cluster.

Info

The stack restart is mandatory as this will refresh the CA which signs the Minio certificates.

  1. Disable _requestAutoCert_in the minio tenant. (set requestAutoCert to false): $plugin[3qq4mela3y2]

  1. List the minio Secrets:

  1. Delete the existing minio certs:

  1. List the CSRs:

  1. Delete the minio CSR:

  1. Enable requestAuthCert in the minio tenant. (set requestAutoCert to true)

  1. The minio-tls and operator secret will be regenerated, which the minio pods use. Also check certificate validity.

Additional Information

Platform9 team has filed an internal jira AIR-1401 to track Minio cert issue, and jira AIR-1402 to track the Percona cert rotation issue. To know more details on the ETA for the fix and the release version, please reach out to support team mentioning the jira-ID.

PreviousHow To Use Sunpike to Apply Custom Kubelet ConfigMapNextWorkload Cluster OS Migration Guide.

Last updated